PIPEDA, the Personal Information Protection and Electronic Documents Act, is a privacy law that applies to private-sector organizations and businesses throughout Canada.
The goal of PIPEDA is to ensure that all provinces and territories protect personal data. This includes:
- Asking for and obtaining consent when an individual’s information is initially gathered, used, or shared.
- Allowing individuals to view or correct their personal information.
- Appropriately storing and disposing of personal data.
While PIPEDA lists 10 central tenets that businesses must follow, the core idea of PIPEDA is that businesses should act in good faith when collecting and using personal information.
Does PIPEDA Apply to My Business?
PIPEDA applies to most businesses in Canada that handle personal information, exempting only provinces and territories where similar laws were put into place prior to PIPEDA.
Commercial organizations that collect personal data – including names, addresses, demographics, financial information, and medical information, among others – must comply with PIPEDA unless specifically exempt.
Related Reading: 15 Ways to Avoid Document Chaos with Secure Forms
Some provinces and organization are exempt from PIPEDA, including:
- Provinces that have already enacted privacy laws similar to PIPEDA: Alberta, British Columbia, and Quebec.
- Health organizations in provinces with healthcare-specific privacy laws in place: New Brunswick, Newfoundland and Labrador, Nova Scotia, and Ontario.
- Not-for-profit groups, charity groups, and political parties and associations – unless using personal information in a commercial way that is not central to their mandate.
- Federal groups specifically listed in PIPEDA.
The exemptions above do not include federally regulated organizations or organizations that move personally identifiable data out of the province, whether within Canada or internationally.
Still not sure if PIPEDA applies to you? Check out The Office of the Privacy Commissioner of Canada’s search page.
How Do I Comply with PIPEDA?
The 10 fair information principles outline the ways in which businesses must work to protect personal information.
Protect the personal information your organization requests by making a specific person responsible for PIPEDA compliance. Apply policies and practices that dictate the collection and safe storage personal information within your organization.
2. Identifying purposes
Outline the purpose of data collection internally and for your customers:
- Give your customers an overview of why you’re collecting their information, and what you’ll use it for. To use their information for any new purposes, you must re-request consent.
- Internally, identify why you are collecting personal information, and ensure that each piece of data is required for a specific purpose.
Request consent in a way that your customers can understand. Per PIPEDA, consent is only valid if it’s reasonable that the individuals your organization serves would understand why you are collecting their information and what it will be used for. You must have consent to collect and use personal information.
4. Limiting collection
Ask for and collect only the information that your organization needs. Maintain honesty and clarity about why you are requesting personal information and what you will do with it.
5. Limiting use, disclosure, and retention
Use the information you collect only for the purposes your customers consented to. Avoid holding onto personal data longer than necessary and follow best practices for storing, transferring, and destroying personal information.
Unlike some privacy laws, PIPEDA stipulates that organizations are responsible for any employees that disregard privacy policies, even if they do so accidentally.
Related Reading: 10 Easy Ways to Protect Your Data at Work
Use correct information wherever possible, especially when making decisions about an individual. Work to keep information up to date and accurate. Remember that people can ask to see and correct any of their data.
Ensure the data you collect is viewed only by appropriate parties whether within or outside your organization. Follow practices that protect personal information from theft and unauthorized access. Failure to put in place appropriate safeguards may result in fines.
While PIPEDA does not outline specific tools or ways in which data must be safeguarded, using secure servers and encryption methods can keep private information safe during data exchanges and help organizations avoid insecure collection, storage, or disposal methods.
Related Reading: Think Your Customer Data was Exposed? Follow These Steps
Maintain an open dialogue about your data collection and use practices. Customers and employees should understand your reasons for capturing personal information, as well as your policies around storage, access, and removal.
9. Individual access
The people whose data you are collecting have the right to view any personal information of theirs that you have on hand. You should also be able to identify which groups or individuals have seen or used it.
10. Challenging compliance
Create straightforward and accessible complaint processes that those whose information you collect can use to challenge compliance with PIPEDA. Make it simple to change and correct your intake processes to comply with PIPEDA.
The majority of complaints are reviewed by the Privacy Commissioner of Canada and resolved via negotiation and cooperation outside of the courts as possible. The Office of the Privacy Commissioner also offers tips for avoiding complaints.
Detailed descriptions of each of the 10 principles of PIPEDA can be found at priv.gc.ca.
What are PIPEDA’s Fines & Penalties?
Organizations that knowingly violate PIPEDA requirements for proactive security safeguards, data breach reporting, and keeping data breach records may be fined up to $100,000 CAD per violation.
Reporting data breaches was voluntary under PIPEDA until 2018, at which time reporting any breaches that risk harming individuals became mandatory. Organizations are now required to keep records of all data breaches for 24 months following the initial discovery of a breach. Penalties for non-compliance were introduced alongside the new reporting requirement.
Businesses are most at risk for fines if they discover a data breach and fail to alert customers and the Office of the Privacy Commissioner of Canada. Failing to establish security safeguards also exposes businesses to financial penalties.
Three Specific Criminal Offences
PIPEDA as a whole is essentially a good-faith agreement put into law that protects personal information. Though most investigations are mediated to come to a positive outcome for the organization and the complainant, PIPEDA lists three instances that could lead to criminal prosecutions:
- Purposely destroying information after receiving a request to review that information
- Retaliatory behavior against employees who attempt to follow PIPEDA
- Hampering investigations after a complaint is lodged
What is Personal Information is Included in PIPEDA?
Any personal information collected as part of a commercial activity is covered by PIPEDA. This includes:
- Age, name, and any ID numbers, including social insurance number or driver’s license;
- Race, or national or ethnic origin;
- Medical and biometric information, diagnoses;
- Financial information;
- Relationship status; and
- Opinions, evaluations, and comments.
Business information needed to conduct work, including employee names, titles, business address, phone, and email addresses are not covered.
Make your information intake, exchange, and correction processes simple with managed file transfer.