Blog

The Ultimate Guide to Canadian PIPEDA

Privacy is a human right. It allows us to set boundaries from unwanted interferences in our lives. It protects us from uninformed and unjustified use of power by companies and states. Many countries worldwide have articulated in their constitution the protection of privacy.

In Canada, many laws relate to privacy rights. Different government agencies and organizations oversee the implementation of these laws. One of these laws is the Personal Information Protection and Electronic Documents Act or PIPEDA.

What is PIPEDA?

Personal Information Protection and Electronic Documents Act

PIPEDA came into effect in January 2004, serving as Canada’s federal privacy law for organizations in the private sector.

It originally became law in April 2000 to build trust in electric commerce. It has already widened its scope to cover industries like broadcasting, banking, and the health sector.

PIPEDA stipulates that a person should have access to all personal information used by an organization. He should be aware of who is responsible for data collection, the purpose of data collection, and to check the accuracy of the data collected.

Why was PIPEDA created?

Most organizations depend on personal information to be updated with their clients. It also enables them to understand how their target market tends to use their products or services.

The law aims to oversee the usage and disclosure of personal information in such a way that it still respects the right to privacy of an individual. It seeks to strike a balance between the needs of a company and what a person deems to be appropriate in any given situation.

With PIPEDA, information about identifiable individuals such as age, ethnicity, medical records, credit records, income, evaluation, and opinions are protected.

Who does PIPEDA apply to?

PIPEDA applies to organizations in the private sector that gather, utilize, and disclose personal information during a commercial activity.

The law defines a “commercial activity” as any transaction, conduct, or act that is commercial in nature. It includes bartering, selling, or leasing of fundraising lists. As long as the company is not federally regulated, PIPEDA covers it.

Companies that operate in the following areas are covered by PIPEDA: Manitoba, Yukon, New Brunswick, Saskatchewan, Prince Edward Island, Ontario, Nunavut, Nova Scotia, Northwest Territories, Newfoundland, and Labrador.

There are some situations wherein this law does not apply, such as:

  • Personal information processed by federal government agencies stipulated under the Privacy Act
  • Provincial and territorial governments
  • Business contact details such as a name, position, address, contact number or email addresses utilized or disclosed strictly for the purpose of communicating with the employee in relation to their job or profession
  • The information utilized solely for personal purposes
  • Personal information processed by an or organization for the literary, artistic or journalistic purposes

Non-profit organizations, charity groups, political parties, and associations are also not covered by PIPEDA unless they get involved with commercial activities that are not part of their mandate.

Provincial laws govern municipalities, schools, hospitals, and universities. However, there are some instances where PIPEDA may be applicable.

PIPEDA principles

Companies need to adhere to the ten fair information principles to protect personal information. These are found in Schedule 1 of PIPEDA. This was based on the Model Code for the Protection of Personal Information of the Canadian Standards Association.

  1. Accountability – the company is ultimately responsible for the personal information in its control. It needs to assign a person or group of people who will ensure that the company will comply with the ten fair information principles.
  2. Identifying purposes – the company needs to clearly identify the purpose of gathering personal information. It should be done before or during the time the data is collected.
  3. Consent – the person should be well-informed and provide consent before his personal information can be collected, used, or disclosed, except when it is already inappropriate.
  4. Limiting collection – the scope of the information being collected should only be limited to what is needed based on the purpose specified by the company. Information will be collected using fair and lawful methods.
  5. Limiting use, disclosure, and retention – personal information will only be used, disclosed and stored solely for the purpose specified by the company unless the consent of the person was given or mandated by law.
  6. Accuracy – personal information collected should be accurate, up-to-date, and complete to fulfill the purpose of which it is being used.
  7. Safeguards – the company needs to make sure that security safeguards that are apt to the sensitivity of the personal information handled.
  8. Openness – a company should always make the policies and practices used in the management of personal information readily accessible.
  9. Individual access – A person should be made aware of the existence, usage, or disclosure of his or her personal information. He or she should be given access to this information upon request. A person is allowed to challenge the completeness and accuracy of the data and have it corrected as needed.
  10. Challenging compliance – a person can address any concern related to a company’s compliance with the principles mentioned above. He or she can relay the matter to the person or group designated by the company to monitor compliance.

In addition to the above, the Office of the Privacy Commissioner of Canada considers the following as inappropriate use of personal information:

  • Collection, usage or disclosure of personal information using unlawful means
  • Profiling individuals in such a way that results in unethical or discriminatory treatment
  • Using personal information for purposes that may harm a person
  • Publication of personal information for the purpose of charging a fee for its removal
  • Requiring individuals to give their passwords in social media accounts during employee screening
  • Doing surveillance on a person using their own devices

PIPEDA compliance checklist

Checking the appropriate use of personal information is has become more difficult. Thus, organizations must perform self-assessments properly to ensure compliance with the fair information principles.

The Office of the Privacy Commissioner of Canada created a self-assessment tool to guide medium and large companies in developing and implementing personal information management systems and practices.

The tool has two parts:

  1. A compliance guide that lets you know of your responsibilities under the PIPEDA.
  2. A diagnostic tool, which is a series of compliance checklists that you can utilize to check the compliance of your business to the fair information principles.

Below are some examples of points you can find in the checklist:

  1. Accountability – you have checked your privacy policies, and you are content that they are complete and understandable.
  2. Identifying purposes – you can identify why you need personal information during or before the time of collection.
  3. Consent – you get consent for collection, usage, or disclosure of personal information.
  4. Limiting collection – you restrict the type and amount of personal information you gather what is needed for the purpose identified.
  5. Limiting use, disclosure, and retention – you do not disclose or utilize the information for purposes that is not part of the reason why it was collected.
  6. Accuracy – reasonable measures are in place to make sure that personal information is complete, accurate and up-to-date before using the information
  7. Safeguards – physical, administrative, and technical safeguards are in place to protect personal information from theft, loss, disclosure, unauthorized access, and modification.
  8. Openness – you can explain to customers the reason why you gather their personal data, how you will use it and when you will disclose it.
  9. Individual access – You give a complete listing of all of the 3rd parties to whom you have disclosed the personal information upon the request of an individual.
  10. Challenging compliance – Policies and procedures are established for accepting and replying to complaints or questions regarding how you handle personal information.

PIPEDA vs GDPR

Many people tend to be confused with GDPR or the General Data Protection Regulation. However, there are some key differences between the two laws.

  • Applicability criteria – the GDPR has a broad scope. It applies to any person, public authority, agency, or body that keeps or processes sensitive data of EU subjects. PIPEDA only applies to personal information used during a commercial activity.
  • Extraterritoriality – extraterritoriality is not explicitly stated in PIPEDA, whereas in GDPR, there exists an extraterritoriality clause.
  • Consent for processing data – the GDPR requires explicit consent from an individual. In PIPEDA, companies can decide if they will seek explicit or implicit consent.
  • Right to be forgotten – GDPR gives a person the right to be forgotten wherein they can ask for their data to be deleted from the database.

PIPEDA gives a person the right to withdraw their consent. Still, a company can still keep the data depending on the stated retention period.

  • Data portability – only GDPR gives a person the right to portability, wherein a person can receive all of the data a company has collected from him in a structured and machine-readable format.
  • Data breach notification timeline – GDPR gives companies only 72 hours to report serious data breaches from the time of awareness. PIPEDA has not stipulated any timeline.

Final words

Having a privacy policy doesn't mean much if it does not comply with the regulations. As such, it is essential to have a good understanding of this law and its requirements and make sure you're not missing anything.