Keeping customer information private

DATE: | Industry bulletins

When a consumer purchases or leases a vehicle they are trusting a salesperson with their personal information. It is the responsibility of the salesperson and business to ensure customer information remains secure from the beginning, through to storage and finally secure disposal. Confidentiality is covered in the AMVIC Code of Ethics which licensees should be following.

The Personal Information Protection Act (PIPA) lays out rules for Alberta businesses for the collection, use and/or disclosure of personal information. An organization under PIPA:

  • May only collect, use or disclose personal information to the extent that is reasonable to meet the purposes for which it is collected, used or disclosed in the first place;
  • Should get the individual’s consent and provide notification on the purposes for which the personal information is being collected, used or disclosed and a contact person to answer questions related to the collection, use or disclosure;
  • Where consent is not required under PIPA, ensure appropriate notification, as may be required, is in place and/or documentation of the authorization for the use or disclosure is recorded;
  • Must protect any personal information in its custody or control by making reasonable security arrangements against such risks as unauthorized access, use, disclosure, copying, modification, disposal, or destruction, whether accidental or deliberate;
  • Must give consideration to reporting any incident involving the loss or unauthorized access to, or disclosure of, personal information in the organization’s custody or control to the Office of the Information and Privacy Commissioner (OIPC). When a reasonable person would consider that there exists a real risk of significant harm to an individual, it is a privacy breach and must be reported to the OIPC;
  • Should keep personal information only for as long as it is reasonably required for business and legal purposes;
  • Must securely destroy personal information or render it non-identifying within a reasonable time period after it is no longer required;
  • Must designate an individual to be responsible for ensuring the organization is compliant with PIPA. This individual is often referred to as a “Privacy Officer”;
  • Must develop and follow policies and practices that are reasonable to meet its obligations under PIPA.


It is good business practice to store consumer information in a secure, locked container such as a filing cabinet when not actively using it or away from your desk. Under section 132(1) of the Consumer Protection Act, it is a requirement to create and maintain complete and accurate financial records, and every business operator and former business operator must maintain all records and documents created or received while carrying on the activities authorized by the business licence for at least three years after the records were created or received.

Once consumer information is no longer needed, it is highly recommended it is securely shredded to prevent the possibility of identity theft. Never leave consumer information in an easily accessible area such as on a desk or in a paper recycling bin or garbage. More information on identity theft prevention can be found on the Government of Canada’s website.