7.5 Client Identification - PIPA
PIPA came into effect in 2004. It attempts to strike a balance between an individual’s right to have his or her personal information protected and an organization’s need to collect, use and disclose personal information for purposes that are reasonable (section 3 of PIPA).
Law firms are subject to PIPA and may be subject to the federal privacy legislation, the Personal Information Protection and Electronic Documents Act S.C. 2000, c. 5 (PIPEDA), in respect of some activities.
The Legal Education Society of Alberta (LESA) presents seminars on privacy issues from time to time. Please see the LESA website for more information if you are interested in learning more about legal issues in the fields of privacy and personal information.
While privacy law is a practice area, it also impacts what you do when you engage in the practice of law. You must understand how PIPA impacts the operation of your firm because a law firm is an organization which must comply with PIPA in terms of how it collects, uses and discloses personal information.
PIPA requires that all organizations name a Privacy Officer (section 5(3)) and that they develop and follow policies and practices that are reasonable for the organization to meet its obligations under PIPA (section 6(1)).
One of the key privacy principles embodied in PIPA is that organizations may collect personal information for purposes that are reasonable (section 11). This means that you should only collect information that is actually necessary for the purpose for which you are collecting it - do not collect more information than you need! While many of the provisions of PIPA are based on consent, section 11 does not contain a curative consent element.
To return to the issues of identifying and verifying clients, gathering more personal information than you need, or gathering it before it is required, is not reasonable. This is why you should not collect client identification information before you are retained or collect the verification information just in case you may want it later.
PIPA also requires that organizations take care of, and take reasonable measures to protect, personal information that is in their custody or control. So if you, as a law firm, collect personal information about clients or others, you have a duty to protect that personal information that you collect, only use it for purposes that are reasonable, only disclose it for reasonable purposes and dispose of it securely when you no longer require it.
Lawyers are required to retain copies of documents used to verify a client’s identity for a period of at least six years following completion of the work for which the lawyer was retained (Rules of the Law Society of Alberta, Rule 118.7(3)). This will include copies of driver’s licenses and other identity documents you obtained while complying with the Verification Requirements. You must protect this information while you keep it and then dispose of it in a secure manner.