Posted on December 4, 2019 | | Categories: Compliance
PIPEDA, the Personal Information Protection and Electronic Documents Act, is a privacy law that applies to private-sector organizations and businesses throughout Canada.
The goal of PIPEDA is to ensure that all provinces and territories protect personal data. This includes:
While PIPEDA lists 10 central tenets that businesses must follow, the core idea of PIPEDA is that businesses should act in good faith when collecting and using personal information.
PIPEDA applies to most businesses in Canada that handle personal information, exempting only provinces and territories where similar laws were put into place prior to PIPEDA.
Commercial organizations that collect personal data – including names, addresses, demographics, financial information, and medical information, among others – must comply with PIPEDA unless specifically exempt.
Related Reading: 15 Ways to Avoid Document Chaos with Secure Forms
Some provinces and organization are exempt from PIPEDA, including:
The exemptions above do not include federally regulated organizations or organizations that move personally identifiable data out of the province, whether within Canada or internationally.
Still not sure if PIPEDA applies to you? Check out The Office of the Privacy Commissioner of Canada’s search page.
The 10 fair information principles outline the ways in which businesses must work to protect personal information.
Protect the personal information your organization requests by making a specific person responsible for PIPEDA compliance. Apply policies and practices that dictate the collection and safe storage personal information within your organization.
Outline the purpose of data collection internally and for your customers:
Request consent in a way that your customers can understand. Per PIPEDA, consent is only valid if it’s reasonable that the individuals your organization serves would understand why you are collecting their information and what it will be used for. You must have consent to collect and use personal information.
Ask for and collect only the information that your organization needs. Maintain honesty and clarity about why you are requesting personal information and what you will do with it.
Use the information you collect only for the purposes your customers consented to. Avoid holding onto personal data longer than necessary and follow best practices for storing, transferring, and destroying personal information.
Unlike some privacy laws, PIPEDA stipulates that organizations are responsible for any employees that disregard privacy policies, even if they do so accidentally.
Related Reading: 10 Easy Ways to Protect Your Data at Work
Use correct information wherever possible, especially when making decisions about an individual. Work to keep information up to date and accurate. Remember that people can ask to see and correct any of their data.
Ensure the data you collect is viewed only by appropriate parties whether within or outside your organization. Follow practices that protect personal information from theft and unauthorized access. Failure to put in place appropriate safeguards may result in fines.
While PIPEDA does not outline specific tools or ways in which data must be safeguarded, using secure servers and encryption methods can keep private information safe during data exchanges and help organizations avoid insecure collection, storage, or disposal methods.
Related Reading: Think Your Customer Data was Exposed? Follow These Steps
Maintain an open dialogue about your data collection and use practices. Customers and employees should understand your reasons for capturing personal information, as well as your policies around storage, access, and removal.
The people whose data you are collecting have the right to view any personal information of theirs that you have on hand. You should also be able to identify which groups or individuals have seen or used it.
Create straightforward and accessible complaint processes that those whose information you collect can use to challenge compliance with PIPEDA. Make it simple to change and correct your intake processes to comply with PIPEDA.
The majority of complaints are reviewed by the Privacy Commissioner of Canada and resolved via negotiation and cooperation outside of the courts as possible. The Office of the Privacy Commissioner also offers tips for avoiding complaints.
Detailed descriptions of each of the 10 principles of PIPEDA can be found at priv.gc.ca.
Organizations that knowingly violate PIPEDA requirements for proactive security safeguards, data breach reporting, and keeping data breach records may be fined up to $100,000 CAD per violation.
Reporting data breaches was voluntary under PIPEDA until 2018, at which time reporting any breaches that risk harming individuals became mandatory. Organizations are now required to keep records of all data breaches for 24 months following the initial discovery of a breach. Penalties for non-compliance were introduced alongside the new reporting requirement.
Businesses are most at risk for fines if they discover a data breach and fail to alert customers and the Office of the Privacy Commissioner of Canada. Failing to establish security safeguards also exposes businesses to financial penalties.
PIPEDA as a whole is essentially a good-faith agreement put into law that protects personal information. Though most investigations are mediated to come to a positive outcome for the organization and the complainant, PIPEDA lists three instances that could lead to criminal prosecutions:
Any personal information collected as part of a commercial activity is covered by PIPEDA. This includes:
Business information needed to conduct work, including employee names, titles, business address, phone, and email addresses are not covered.
Make your information intake, exchange, and correction processes simple with managed file transfer.