PIPEDA compliance improving slowly.

As new data breaches during 2006 reinforced concerns about security issues and trans-border data flows in Canada, there has never been a greater need to take data protection seriously, according to the Privacy Commissioner of Canada, Jennifer Stoddart. Her 2006 Annual Report on the Personal Information Protection and Electronic Documents Act (PIPEDA) was sent to the Canadian Parliament for consideration May 31. Enacted in 2000, PIPEDA is Canada's private-sector privacy law enforced by the privacy commissioner.

Privacy complaints against some of the major sectors covered by PIPEDA since 2001 (financial institutions, insurance companies, and the transportation sector) have declined slightly. This is in contrast, however, to those industries that have been subject to PIPEDA only since 2004, such as the retail and accommodation sectors, which have been the focus of substantially more complaints than in previous years. Overall, there were 424 complaints in 2006, compared with 400 in 2005.

[ILLUSTRATION OMITTED]

"We are pleased to see fewer complaints related to sectors more familiar with PIPEDA; I believe it stems from a stronger understanding of the act. It would appear that compliance is improving with time and we look forward to seeing this trend continue" Stoddart said. "Sectors with less experience with PIPEDA have more work to do. As they gain a better understanding of what the law requires, we expect to see a decrease in complaints involving them"

However, the results of a survey of Canadian businesses on privacy-related issues conducted by Ekos Research Associates and released earlier this year raised important questions about whether some businesses are doing enough to fulfill their PIPEDA obligations.

The survey found that:

* While the majority--67 percent--of businesses that collect personal customer information have fully implemented PIPEDA provisions, a small but not insignificant number are only in the process of implementation (16 percent), and still others are not in the process of doing so (15 percent).

* Only one-third of all businesses report their staff has been trained on their responsibilities under Canada's privacy laws.

* Fewer than one in five businesses has sought clarification of their role, although this is also much higher among larger businesses.

"Almost half of the businesses studied tend to rate their company's awareness of its responsibilities under the privacy laws favorably," Stoddart said. "However, a similar number report either low or moderate awareness. PIPEDA and its provincial counterparts regulate commercial activity in Canada. All businesses that handle personal information need a good understanding of what the law requires."

Stoddart also expressed concern with the finding that only a third of businesses have provided privacy training for staff, saying that staff training is "absolutely essential" in preventing privacy breaches.