Order of Privacy Officers

How to Collect Personal Information

The following checklist may be helpful in collecting personal information. It is intended to be helpful, but it is not legal advice.

It is at a high level of generality to provide the new or busy privacy officer with a quick and useful overview of the requirements under PIPEDA. Many people have invested much thought to create other helpful guidance documents with lower levels of generality and additional detail. Several very helpful ones are listed below the following checklist.

Checklist

Identify your desired use or disclosure motivating your collection of the information.

Identify the time duration for which you will need to retain the Personal Information. Consider proposed uses, taxes, credit card chargebacks, and other legal retention requirements.

Identify the information necessary to be collected for the desired use or disclosure. "Necessary" means less information may be collected than would be if you could collect more than is "necessary".

Identify which necessary information is Personal Information.

Identify the consequences of the individual not consenting to the collection, use or disclosure of Personal Information. (Don't make the supply of the service or product dependent upon consent unless necessary).

Determine which of the necessary Personal Information is sensitive and which is not sensitive Personal Information.

Choose an appropriate consent process. (Sensitive information requires express opt in consent. The continuum is express opt-in consent, express opt-out consent and implied consent.)

Choose a sufficient form for obtaining evidence of consent.

Disclose clearly and simply to the individual your desired uses and disclosures for which you are collecting the Personal Information and your contemplated duration of retention of the information.

Disclose to the individual the consequences of not consenting to the collection, use or disclosure of the Personal Information.

Obtain evidence of appropriate consent. (Express or implied, opt in or opt out.)

Collect the Personal Information simultaneously or immediately after obtaining the evidence of required consent.

Diarize the maximum and minimum time frames for verifying the accuracy of the information collected and the destruction of, or rendering anonymous, the information collected.

Once you have collect the Personal Information, store it properly.

Compliance Guides with lower levels of generality

Canada's Privacy Commissioner's "Guide for Businesses and Organizations to Canada's Personal Information Protection and Electronic Documents Act" is helpful.
Canadian Institute of Chartered Accountants' Privacy Package contains a link to their free downloadable AICPA/CICA Privacy Framework. The AICPA/CICA Privacy Framework is the best and most helpful single document we have reviewed. It has a low level of generality and the detail may be daunting for some. However, the benefits available through the additional effort required to review and understand it are, in our opinion, well worth the time and concentration investment required.
Industry Canada's Privacy for Business
Industry Canada's Online E-security and Privacy Guide
Treasury Board of Canada Secretariat's Privacy Impact Assessment (PIA) E-learning tool
The Information and Privacy Commissioner of Ontario's Privacy Diagnostic Tool (PDT) Workbook They describe it as a self-assessment program used to help businesses gauge their privacy readiness.