New Federal Privacy Act

Bruce Gravel,
Secretary Treasurer,
Tourism Federation of Ontario

The following information comes courtesy of the Tourism Federation of Ontario (TFO) and the Hotel Association of Canada, for which we thank them both.

ALERT: The new federal Privacy Act, (or Personal Information Protection and Electronic Documents Act), will apply to all Canadian businesses, including tourism operations, as well as all non-profits, starting January 1, 2004.

Previous TFO Board meetings discussed that Ontario would enact its own privacy law as of January, 2003. That never happened and, to date, there is no indication that Ontario will enact its own privacy law anytime soon. Therefore, the federal Privacy Act will apply to Ontario (and to any other province that does not have its own privacy law).

The federal Privacy Act has implications for tourism operators regarding guest registration, marketing research, marketing and loyalty programs. The key provision, as it impacts our industry, is the collection of guest information. In this age of guest preferences and mass marketing, operators must take action by January 1, 2004 to be in compliance with the federal law.

Any collection of guest information exceeding what is normally on a business card or in a phone book is now impacted by the federal Privacy Act.

Informed (written) consent must be received from the guest. All operators should immediately implement plans to meet the requirements of the new federal Privacy Act. Collection of information through guest registration, for example, which you later use for your marketing programs and keeping note of the guest’s preferences, is legal because it benefits the guest. However, informed consent must be given by the guest on your Registration Card.

Exemption: The federal Privacy Act does not apply to information collected on an individual if it is used strictly and only for personal benefits to the guest, and is not used anywhere else.

Your obligations: Every operator is required to comply with certain principles set out in a Schedule to the Act. There are 12 such requirements outlined in an Executive Summary, an example of which is:

“Consent to the collection, use or disclosure of personal information must be informed (written) and, except to the extent required for the supply of a product or service, cannot be imposed as a condition of such supply (ie: informed consent must be given for the collection of personal information). Change your Registration Card to reflect consent.”

A detailed Executive Summary prepared by the Hotel Association of Canada on the federal Privacy Act, as well as a sample guest consent form, can be found at Click on “Newsworthy Info” to view the document under the heading “Critical Issues Update”.

Certain violations of the federal Privacy Act may result in a fine of up to $100,000.

The federal law has been in force since January 1, 2001, however, it only impacted primarily financial institutions. The federal law takes effect for all other businesses, including tourism businesses and non-profit associations, on January 1, 2004. The federal Act applies to individual personal information, not business/corporate information.

The following information was provided to us by Bruce Gravel, Executive Director of the Ontario Accommodation Association (OAA). They obtained this information from a Privacy lawyer:

The legislation applies to every organization including non-profits that collects, uses or discloses personal information in the course of their commercial activities. The definition of “personal information” includes age, likes/dislikes, spending patterns.

EXISTING DATA: Information that you have previously collected is permissible, as long as the information used is not disclosed outside the province in which it was collected. We interpret this to mean that you can use the guest information you have collected up to January 1, 2004, as long as it is your business that uses it and you do not send it to other businesses or organizations outside Ontario.

TIP: If guests question your consent form for the collection of information, don’t tell the guest that you will be using this information for marketing purposes (no one would agree to receive more “junk mail”). Instead, tell them you will use it to contact them with information that you feel will be of interest to them.

SECURITY: Each business is responsible for the information under its control. You must keep guest information in a secure place, and limit its use, disclosure and retention. It must be accurate. Individuals will have the right to access the information you have about them, and can challenge compliance. You should also have a privacy policy for your business, and must publicize it. (OAA is trying to have a Privacy lawyer develop a generic policy, which our members may adapt to their needs.)

CAMERAS: Operators with security cameras should be aware that by January 1, 2004, you must post a sign in your lobby informing the public that security cameras are in use and why (“for your safety and security”). This means that consent is implied when the person enters your premises.

If you have not already done so, you should promptly inform your individual members to prepare for this new law.

This article was taken from pages 36 & 37 of NOTO's "The Outfitter" publication, Spring 2004 Issue


NOTO 386 Algonquin Avenue, North Bay, ON P1B 4W3 • T 705.472.5552 • F 705.472.0621 •
Website designed by Sofa Communications