Wondering about PIPEDA Canada?
What is PIPEDA?
Who is subject to PIPEDA?
What are the 10 principles of PIPEDA?
These are all great questions to which we have all the answers.
Are you ready?
Let’s get started!!!
What is PIPEDA
PIPEDA is the acronym for the Personal Information Protection And Electronic Documents Act of Canada.
PIPEDA is a data protection and privacy legislation adopted by the Canadian government to help protect and safeguard the collection, use and disclosure of personal information companies obtain in the normal course of business.
The law is intended to govern how private sector organizations collect, use and disclose personal information in the business.
A commercial activity under PIPEDA is any type of commercial dealing, act or conduct, between a company and another party whether the transaction was for a fee or not.
The spirit of PIPEDA is to help promote consumer trust in the use of electronic commerce and facilitate the use of electronic documents in business.
PIPEA was adopted on April 13, 2000, in response to the adoption of data protection and privacy laws in Europe to demonstrate that Canadian privacy laws were adequate to protect European personal information.
Canada is an important global player in the data protection and data privacy space and has adopted a comprehensive set of legislation intended to protect personal information.
Data protection and privacy principles of PIPEDA
Schedule 1 of PIPEDA lays out 10 fair information principles that businesses and organizations must adhere to when collecting, using and disclosing personal information.
The law requires that businesses adopt these principles to protect personal information so individuals can have a sufficient level of trust when conducting business with one another.
These principles relate to:
- Identifying Purpose
- Limiting collection
- Limiting use, disclosure and retention
- Individual Access
- Challenging Compliance
By following these principles, companies can show they take personal data protection and privacy seriously and they are committed to protecting any personal information they handle.
Companies should designate at least one person responsible for their privacy law compliance within their organization.
Companies should be mindful of why they are collecting consumer information so they can justify the purpose, take the necessary steps to stop using the information when it’s no longer needed and to ensure the consumer has given the proper consent.
An individual’s consent must be clear and informed.
This means that companies must be transparent as to what information they will collect and why.
When a company needs a person’s personal information, they must be able to explain what information they need, why they need it and how it is essential for them in rendering their services.
Depending on the extent of information collected, organizations must get the necessary individual consent.
Companies should make sure to only collect the consumer information only to the extent it is needed for them to render their services.
In other words, information more than what is needed to render services should not be collected.
Limiting use, disclosure and retention
Companies must adopt measures to limit as much as possible the use, disclosure and retention of personal information they acquire on a person.
Companies generally adopt a data retention policy to determine how long they will keep the consumer data after the data is no longer necessary for its purpose.
Data collected on a person must be accurate, complete and up-to-date.
Companies should adopt reasonable measures to make sure they have the most complete and accurate information on a person so they use the proper information to make decisions about them.
Companies must adopt safeguards and measures to prevent any data breach, unauthorized access to the consumer personal data or any violation of data privacy obligations.
Depending on the sensitivity of the data, organizations should adopt safeguards reasonable enough to protect the information.
Companies should be transparent and open about how they collect and use personal information.
Generally, companies can publish policies showing their clients how they collect, use and handle personal information.
Anyone can ask a company to provide access to the information a company is holding on them.
The company should be able to inform the individual how the information was collected, why it was collected and how it was used in their business.
Companies must adopt policies and practices enabling anyone to file a privacy complaint with them, for the company to review the complaint and respond to the complainant.
The law requires that companies investigate any privacy concern or complaint filed by anyone and take the necessary measures to tame remedial steps as needed.
Rights granted to individuals by PIPEDA
Under the Canadian privacy law, individuals are granted rights to:
- Understand how companies are collecting, using and disclosing their information
- Use personal information only for the purpose it was communicated
- How companies protect personal information
- Expect companies to adopt proper security measures
- Expect companies hold accurate, complete and up-to-date information about them
- Get access to their information upon request
- Companies to correct errors in their information
- Lodge complaints with companies related to the handling of their personal information
- Companies to obtain consent from the consumer to collect, use and disclose information
- Companies to collect and use information lawfully and through fair means
- Adopt personal information policies
The objective of the privacy law in Canada is to hold companies accountable for the information they collect and use while giving consumers the power to demand answers from companies in how their personal information is gathered and used.
Who is subject to PIPEDA
PIPEDA applies to any business that operates in Canada and handles personal information.
Let’s see in which context.
Businesses having data crossing provincial or national borders
PIPEDA applies to all businesses operating in Canada handling personal information crossing different Canadian provinces or the Canadian national borders.
The moment a business or an organization is required to flow personal data in and out of the province or the country, PIPEDA applies regardless of any local provincial statutes related to data protection and privacy.
For example, in Canada, the provinces of Alberta, British Columbia and Quebec have adopted their private-sector privacy laws that are deemed to be similar to PIPEDA.
So an organization located in Quebec and subject to the Act respecting the protection of personal information in the private sector but handling personal information that goes outside of the province of Quebec or Canada will be subject to PIPEDA.
Canadian federally regulated businesses
PIPEDA applies to all Canadian federally regulated businesses concluding business in Canada.
Federally regulated business includes any commercial activity or sector under the control of the Canadian federal government as per the Canadian constitution such as:
- Airlines and all related industries like airports and airplanes
- Banking whether Canadian or foreign banks authorized to do business in Canada
- Transportation companies
- Telecommunication companies
- Drilling operations
- Television broadcasters
The Northwest Territories, Yukon and Nunavut are subject to PIPEDA as they are considered to be federally regulated.
Businesses not subject to PIPEDA
What businesses are not subject to PIPEDA?
Let’s analyze this question briefly.
Federal organizations listed in the Privacy Act
Federal government organizations handling personal information and listed under the Privacy Act are not subject to PIPEDA.
Organizations subject to provincial privacy statutes
In Canada, Alberta, British Columbia and Quebec have adopted data privacy legislation considered and deemed to be substantially similar to PIPEDA.
As a result, if an organization is subject to the provincial laws, they will not be exempt from PIPEDA when collecting, using and disclosing personal information within their province.
The following provincial privacy laws are declared to give substantially similar protections as PIPEDA:
- Act Respecting the Protection of Personal Information in the Private Sector (Quebec)
- The Personal Information Protection Act (British Columbia)
- The Personal Information Protection Act (Alberta)
- The Personal Health Information Protection Act (Ontario)
- The Personal Health Information Privacy and Access Act (New Brunswick)
- The Personal Health Information Act (Newfoundland and Labrador)
- The Personal Health Information Act (Nova Scotia)
Provincial and territorial governments
Provincial and territorial governments, including their agents, are not subject to PIPEDA when collecting, using and disclosing personal information.
Non-for-profit and charity organizations
Non-for-profit and charity organizations are not subject to PIPEDA if they are conducting commercial activities central to their mandate.
Otherwise, they will be subject to the terms of PIPEDA.
Political parties and associations
The application of PIPEDA to political parties and associations is similar to non-for-profit and charity organizations.
If they collect, use and disclose information in the course of executing their mandate and central to their function, they will not be subject to PIPEDA.
If they engage in commercial activities beyond their central function, then PIPEDA will apply.
Municipalities, universities, schools and hospitals will generally not be subject to PIPEDA as they will be governed by domestic provincial laws.
However, they may be subject to PIPEDA nonetheless.
For example, due to the nature of personal information collected by hospitals, other laws and statutes may apply and in some cases PIPEDA as well.
What is considered personal information under PIPEDA
The definition of personal information under PIPEDA is relatively broad and includes any factual or subjective information about a person or an identifiable individual.
Here is a list of what can be considered as personal information under PIPEDA:
- Personal ID
- Person’s opinion
- Person’s comments
- Person’s file
- Credit records
- Medical records
- Legal records
- Business transaction records
- Consumer information
And so on.
Any information collected, used or disclosed by a company that can lead to identifying a person is personal information.
What is not considered personal information under PIPEDA
In some cases, the information collected, used and disclosed may not be subject to PIPEDA as they are not personal information or deemed to be considered as personal information.
The following is information that is not subject to PIPEDA:
- Business contact information collected and used strictly to communicate with that person
- Collection, use and disclosure of personal information purely for personal purposes
- Use of personal information for journalistic purposes
- Use of personal information for artistic purposes
- Use of personal information for literary purposes
When information is not considered personal information under PIPDEA, then the obligations outlined in the legislation will not apply.
PIPEDA and the General Data Protection Regulation
Europe had adopted the General Data Protection Regulation representing a set of rules and obligations imposed on businesses and companies to help protect the personal information of European citizens.
The principles underlying GDPR is substantially similar to PIPEDA.
For example, under GDPR, individuals have the right to access their personal information, understand how companies are processing their information or collecting it, challenge companies in how their data is managed and so on.
Canada has adopted its privacy law in such a way that the notification requirements are consistent with GDPR and the European privacy legislation.
The Regulatory Impact Analysis Statement published by the Canadian government in 2017 states:
“in line with the proposed Regulations, EU companies will be required to keep a record of all data breaches for the purpose of demonstrating due diligence with regard to their reporting obligations.
This alignment is important to Canada–EU trade. PIPEDA is currently deemed to provide an essentially equivalent level of privacy protection to the European Union, which allows for the free flow of personal information from the European Union to Canadian organizations.”
This means that Canadian companies and European companies can freely flow personal information from the EU to Canada without risk of breaching their obligations under GDPR.
The Office of the Privacy Commissioner of Canada makes available some useful online tools helping Canadians or businesses subject to PIPEDA to inform themselves as to their rights and obligations.
Finding the right regulatory organization
In Canada, privacy issues can be handled by different laws and managed by different institutions.
With the online tool, you can select the type of personal information issue you are concerned about and it will guide you to who to contact.
The tool breaks down the type of personal information issue under three categories:
- Personal health information
- Personal employee information
- Other types of personal information
PIPEDA self-assessment tool
The Office of the Privacy Commissioner of Canada makes available a self-assessment tool to help medium and large companies develop and implement proper privacy governance and management.
The online PIPEDA self-assessment tool helps organizations benchmark and improve their privacy systems and practices by verifying their organization against a set of expectations to determine the degree to which those expectations are met.
Any gaps or compliance risks discovered by the organization should be remedied to minimize risk.
The OPC has a great body of information and material helping individuals and businesses understand their rights and obligations.
Resource for individuals
On OPC’s website, individuals can find helpful information on the following:
- How their information is collected and used by businesses and government institutions in Canada
- Individual rights
- Reporting concerns and filing complaints
- Receiving a privacy breach notification
- Online services
- Landlord and tenants obligation
- Protecting driver’s license
- Reading privacy policies
- Resource for seniors
- Privacy for kids
- Accessing personal information
- Which privacy law applies
- Mobile devices
- Employers and employees
- Protecting the social insurance number
- Identify theft
- Health, genetic and body information
Individuals have a wealth of information to get stemming from PIPEDA.
Resource for businesses
Similarly, businesses can also get a lot of information directly from the Privacy Commissioner’s website.
The following information is made available to businesses:
- Safeguard and breaches
- Video surveillance by businesses
- Cloud computing
- Advertising and marketing
- PIPEDA compliance help
- Collecting personal information and consent
- Employers and employees
- Transferring data across borders
- Mobile apps
- Health, genetic and body information
The resources provide a good baseline of information helping companies understand their obligations and processes to adopt or implement.
PIPEDA Amendment regarding data breach notifications
Effective November 1, 2018, the data breach notification regime under PIPEDA was amended requiring companies to determine whether the data breach can cause a risk of significant harm to individuals.
This amendment was approved as part of the Digital Privacy Act in 2015.
In the event of a data breach, organizations have the following obligations:
- Report the data breach to the Privacy Commissioner of Canada if the breach involves personal information posing a significant risk to harm individuals
- Notify the individuals whose information was breached
- Notify other companies or organizations to mitigate risk
- Track and keep a record of all breaches for the 24 months from the date the breach occurred
When a company is required to report a breach to the Privacy Commissioner of Canada, there is a PIPEDA breach report form that is encouraged to be completed by organizations.
POC has published comprehensive information on what companies need to know about the mandatory reporting of breaches of security safeguards.
Complaints under PIPEDA
Consumers, individuals or the Privacy Commissioner can file a complaint under PIPEDA following an ombudsman model.
When a complaint is initially filed, the Office of the Privacy Commissioner of Canada first evaluates if the complaint falls within its jurisdiction.
When the jurisdictional aspect is cleared, the complaint will then be reviewed and investigated by the Office of the Privacy Commissioner of Canada.
Once the investigation is complete, the OPC will produce a report of its findings.
OPC does not have any legal authority over the parties in rendering a decision, awarding damages or rendering compliance orders.
Also, OPC’s report on its findings further to a complaint is not legally binding but more like a recommendation.
Hearing by court
Once the OPC report is issued, the complainant can apply to the court for a hearing with respect to the complaint subject-matter.
It’s the Federal Court of Canada that is mandated in law to hear and decide on privacy complaints and the findings of the OPC.
The complainant has one year to file an application before the Federal Court of Canada relating to its complaint.
The Federal Court will have the power to:
- Order an organization to correct its practices in order to comply with the law
- Order an organization to publish a notice of any action taken or proposed to be taken to correct its practices
- Award damages to the complainant including damages for any humiliation that the complainant has suffered
Private sector companies operating in Canada must understand their obligations under PIPEDA as it relates to data protection and data privacy.
PIPEDA stands for the Personal Information Protection and Electronic Documents Act.
The law is essentially information protection legislation.
PIPEDA is data protection and privacy legislation adopted by the Canadian government to help protect and safeguard the collection, use and disclosure of personal information companies obtain in the normal course of business.
Under PIPEDA, personal information is defined as “any information about an identifiable individual”.
Based on this broad definition, any organization collecting, using or disclosing personal information for their commercial activity must comply with PIPEDA.
Commercial activity is defined to be “any particular transaction, act or conduct or any regular course of conduct that is commercial, including the selling, bartering or leasing of donor, membership or other fundraising lists”.
By implementing the PIPEDA ten principles of fair information, companies can comply with their PIPEDA obligations and ensure they provide their clients with sufficient safeguards to protect their information.
We hope this article was useful to help you better understand PIPEDA.
Did you ever have an interesting experience to share regarding PIPEDA compliance?
We would love to hear from you.
Drop us a comment!