The Personal Information Protection and Electronic Document Act (PIPEDA) is a regulatory requirement that applies to private sector organizations that collect personal information in Canada. It’s designed to ensure the protection of personal information in the course of commercial business. Compliance requires that you follow 10 fair principles that govern the collection, use and disclosure of personal information as well as providing access to personal information.
Who does PIPEDA Affect?
It applies to all private-sector organizations in Canada that collect, use or disclose personal information in the course of a commercial activity. A commercial activity includes “ any particular transaction, act, or conduct, or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.”
The exceptions to this law are Alberta, British Columbia and Quebec who have their own private-sector privacy laws. Organizations that are subject to very similar provincial privacy laws are usually exempt from PIPEDA in the province. However, any business that handles personal information in Canada that crosses provincial or national boundaries for commercial activities are subject to PIPEDA regardless of where it originated from.
Federally regulated organizations that conduct business in Canada are always subject to PIPEDA. You can use this tool if you’re not sure if your company is subject to PIPEDA.
What does it cover?
PIPEDA covers personal information, which is defined as “any factual or subjective information, recorded or not, about an identifiable individual”. Some examples include:
age, name, ID numbers, income, ethnic origin, or blood type
opinions, evaluations, comments, social status, or disciplinary actions
employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (e.g. to change jobs).
Compliance mandates that you follow 10 principles that govern the collection, use and disclosure of personal information. The principles are:
This means that your company is responsible for all personal information under its control. You are required to appoint someone to be responsible for PIPEDA compliance and you are responsible for protecting all personal information you possess including anything transferred to third parties. You must develop and implement policies and practices for handling customers personal information.
PIPEDA mandates all information collected must have a clear purpose before or at the time of collection. To be compliant with this principle you should ensure that you document why you are asking someone for that piece of information, tell the customers why you are collecting it at the time of collection and obtain their consent again if you plan to use this information for a new purpose. You should not hold onto any personal information if you do not have a relevant purpose for it.
Collecting meaningful consent is an important mandate of PIPEDA. Companies are required to obtain meaningful consent for the collection, use and disclosure of personal information. To be considered meaningful, people must understand what they are consenting to. So it’s important to use language that is easy to understand, explain to people what information is being collected and for what purpose that information will be used. You must also make it so that individuals have a means to withdraw their consent at any time, subject to reasonable notice and legal and contractual restrictions. You must also make people aware of the implications of withdrawing their consent eg loss of services, financial loss etc. PIPEDA allows for two types of consent under certain conditions, express and implied consent. Generally it is best to stick to express consent to avoid any possible problems and that is what I would advise. But according to PIPEDA regulations you are only required to give express consent when:
the information being collected, used or disclosed is sensitive;
the collection, use or disclosure is outside of the reasonable expectations of the individual; and/or,
the collection, use or disclosure creates a meaningful residual risk of significant harm.
This rule is very closely related to identifying purpose. Companies are required to limit collection to only the personal information that your organization needs to fulfill an identified purpose. It mandates honesty when stating your reasons for collection and it requires that you collect personal information by fair and lawful means. All of your staff that work with this information should be able to explain why your organization needs this information.
Limiting Use, Disclosure, and Retention
PIPEDA requires that companies only use or disclose personal information for the purpose that it was collected. It also requires that you only retain information for as long as it serves the purpose for which it was collected. If you want to use or disclosure personal information for a new purpose, you are required to gain fresh consent from the individual. Now you should be careful with the data retention piece because in addition to your business purposes, other regulations may require that you keep some personal information for a certain amount of time. These need to be considered when deciding how long you are going to retain that information.
Companies must have processes in place to reduce the possibility of using incorrect information when making a decision about an individual or disclosing it to third parties. To fulfill this requirement it’s good to regularly update your information and make it so that users are able to and reminded to update their information themselves. You should also establish policies that govern what type of information needs to be updated regularly eg someone’s address or their preferences. Things like date of birth can be omitted from regular updates. You want to keep a record of the steps you took to verify the accuracy and completeness of that information.
Companies have a responsibility to protect personal information in an appropriate manner for how sensitive the information is. You should have a security policy to protect personal information and use good security safeguards. This means physical measures(eg locked filing cabinets and alarm systems), update-to-date technology (e.g. passwords, encryption, firewalls and security patches) and organizational controls (e.g. security clearances or access controls). In order to select the right types of safeguards you should consider the sensitivity of the information, the risk of harm to the individual, the amount of information, extent of distribution, format of the information, type of storage and potential risk to your company. Safeguards should be reviewed regularly to ensure they are up to date, this is a good place to use well known security frameworks to prove that your implementations meet industry best practices. You can also use security audits, penetration tests and vulnerability scans to prove that you are doing your due diligence to protect your company’s information. Lastly, employees should be trained on being security aware and understand the importance of maintaining the security and confidentiality of personal information.
Your company should be open about your information management practices. It should be made easily accessible to customers for no cost and it should be clear and easy to understand. It should have no legal or technical jargon that would make it hard for the average person to understand.
For the most part individuals have a right to access the personal information that an organization has about them, to challenge the accuracy of that information and have it changed where appropriate, this should be free of charge. You should also be able to account for where that information was obtained, how it has been used and to whom it has been disclosed. This information should be provided within 30 days of the request but it can be extended by 30 days in some cases.
An individual must be able to challenge your organization’s compliance with any of the information principles in PIPEDA. They should be able to address this directly with the person who is accountable for compliance with PIPEDA. You should investigate all complaints you receive and have a defined process for complaint handling and investigations. You should tell complainants about their avenues for recourse, that includes within your company, industry related associations, regulatory bodies and the OPC.
Fines and Penalties
Failure to comply with PIPEDA comes with fines of up to $100,000 CAD per violation. Additionally, there are 3 instances that could lead to criminal persecution under PIPEDA:
Purposely destroying information after receiving a request to review that information
Retaliatory behavior against employees who attempt to follow PIPEDA
Hampering investigations after a complaint is lodged
PIPEDA is a regulation that affects companies that do commercial business in Canada. While there are a few exceptions for certain provinces and non profit businesses, most businesses that collect personal information for commercial activities are affected by PIPEDA. The main takeaways are that businesses must get consumers consent before collecting information, they must be collecting it for a specific purpose and make that purpose known when asking for consent. Businesses are only allowed to hold personal information while it is needed for that purpose that it was collected and then it must be disposed of. Businesses must make it easy for consumers to update their information, to access the data that has been collected on them and all communications must be in a manner that is simple and easy to understand. No legal jargon or complicated expressions should be used when communicating with a consumer.