4.5
Client Identification - PIPA

The Personal Information and Protection Act (PIPA) came into effect in 2004. It attempts to strike a balance between an individual’s right to have his or her personal information protected and an organization’s need to collect, use and disclose personal information for purposes that are reasonable (section 3 of PIPA).

Law firms are subject to PIPA and may be subject to the federal privacy legislation, the Personal Information Protection and Electronic Documents Act S.C. 2000, c. 5 (PIPEDA), with respect to some activities. The Legal Education Society of Alberta (LESA) presents seminars on privacy issues from time to time. Please see the LESA website for more information if you want to learn more about the fields of privacy and personal information.

While privacy law is a practice area, it also impacts what you do when you engage in the practice of law. You must understand how PIPA impacts the operation of your firm because a law firm is an organization that must comply with PIPA in terms of how it collects, uses, and discloses personal information. PIPA requires that all organizations name a Privacy Officer (section 5(3)) and that they develop and follow policies and practices that are reasonable for the organization to meet its obligations under PIPA (section 6(1)). 

One of PIPA’s key privacy principles is that organizations may collect personal information for purposes that are reasonable (section 11). This means you should only collect information that is necessary for the purpose for which you are collecting it - do not collect more information than needed. While many of the provisions of PIPA are based on consent, section 11 does not contain a curative consent element. Gathering more personal information than needed, or gathering it before it is required, is not reasonable. For this reason, do not collect client identification information before you are retained or collect the verification information because you might need it later. 

PIPA also requires that organizations take care of, and take reasonable measures to protect, personal information that is in their custody. So, if your law firm collects personal information about clients or others, you have a duty to protect that personal information. You must: 

  • use it only for purposes that are reasonable;
  • disclose it only for reasonable purposes; and 
  • dispose of it securely when it is no longer required.

Note:

Lawyers are required to retain copies of documents used to verify a client’s identity, as well as their documentation of a client’s identity, for a period of at least six years following completion of the work for which the lawyer was retained (Rules of the Law Society of Alberta, Rule 119.51(3)). This includes copies of driver’s licenses and other identity documents obtained while complying with the Verification Rules. In situations where only client identification (but not verification) is required, this includes documentation of the client’s name, address and telephone number for their home and place of work, client's occupations, as required by Rule 119.47. You must protect this information and then dispose of it in a secure manner when it is no longer needed.

Last modified: Monday, 21 August 2023, 9:25 AM