What are the PIPEDA principles?
What are the 10 fair information principles under PIPEDA?
This article is intended to give you an overview of the PIPEDA fair information principles so you can better understand the spirit of the Canadian privacy law.
Are you ready?
Let’s get started!
What are the PIPEDA principles
PIPEDA, an acronym for Personal Information Protection and Electronic Documents Act, is Canada’s main privacy law governing all aspects relating to how businesses collect, use and disclose personal information.
Under this law, there are 10 fair information principles that have been outlined forming the ground rules with respect to how companies are to handle, use and disclose personal information they acquire in the course of their commercial activities.
Schedule 1 of PIPEDA titled “Principles Set Out in the National Standard of Canada Entitled Model Code for the Protection of Personal Information, CAN/CSA-Q830-96″ outlines the 10 principles.
The purpose of the PIPEDA principles is to empower individuals to be able to take greater control over their personal information and data when their information is managed by the private sector.
The principles outlined in PIPEDA are:
- Identifying Purposes
- Limiting Collection
- Limiting Use, Disclosure and Retention
- Individual Access
- Challenging Compliance
Let’s look at each of these fair information principles in detail.
Principle 1: Accountability
To comply with the accountability principle, organizations must appoint someone to be responsible for their organization’s privacy law compliance.
If the company is subject to comply with the obligations found in PIPEDA, someone will need to be in charge of the privacy law compliance within the organization.
Organizations must also take the necessary measures to protect the personal information they receive in the context of their commercial activity and information they transfer to third parties for processing.
To that effect, it’s advisable to devise, implement and manage policies and practices designed to promote and protect data privacy and data protection.
Principle 2: Identifying Purposes
The purpose for which a company intends to collect personal information must be clearly identified and documented.
Under this second principle of identifying purposes, a company must be able to justify what specific personal information it needs to render its services.
By understanding what information is required to properly render services, companies can adequately scope the purpose of the personal information collection, use and disclosure.
Principle 3: Consent
Getting the consent of an individual is central to the obligations contained in PIPEDA.
When an organization needs to collect, use and disclose someone’s personal information, they must inform the individual of why they need their personal data and get the needed consent if one is required.
To obtain the consent, the company must explain, in simple terms, why they need the individual’s consent so the average person can give a true and meaningful consent.
Organizations must evaluate the nature and sensitivity of the information they collect so they can properly inform the individual and adequately define the form of consent needed.
If a person can give consent for the collection, use and disclosure of their personal information, they can also withdraw their consent.
Companies must allow individuals to withdraw their consent and understand its implications.
Principle 4: Limiting Collection
The principle of limiting collection requires that organizations collect only the personal information needed to fulfill their intended purpose.
A company should not obtain more personal information than is needed to render its services.
Private-sector businesses must be truthful and honest about what personal information they need and are collecting so as to promote the trust and confidence of consumers.
By limiting the collection to only the information needed to render services, this principle helps prevent companies from deceiving or misleading consumers about the purpose or intent for collecting personal information.
Principle 5: Limiting Use, Disclosure and Retention
Companies must only use someone’s personal information for the identified purpose for which it was collected.
A company cannot present a particular purpose to a consumer and use the information for another reason.
Limiting use refers to the collection, use and disclosure of the information strictly for the purpose initially defined when the information was collected from the consumer.
If the purpose for which the data was initially collected changes over time, the company must obtain further consent from the consumer.
This relates to the obligation of disclosure to the consumer.
The obligation of disclosure is to inform the consumer why their information is being used and for how long.
The best practice is to adopt and implement procedures and policies aimed at limiting the manner personal data is used, to ensure that the consumer has consented to the purpose for which data may be used and is informed of the applicable data retention policies.
Destroying data that is no longer needed, erasing or anonymizing data should be considered by organizations to limit the use and retention period.
Principle 6: Accuracy
The objective with accuracy is to ensure that the consumer data used is up-to-date so proper decisions can be made about the consumer.
If the information is not up-to-date or accurate, companies should consider how it can impact the consumer and take reasonable efforts in trying to update the information.
Making decisions about a consumer should be done on the basis of accurate and correct information on the individual.
Principle 7: Safeguards
Another major principle of PIPEDA is the protection of personal information.
Protecting personal information and implementation proper safeguards to protect personal data is crucial to observe and comply with the Canadian privacy law.
Through adequate safeguards, companies can prevent unauthorized access to personal data, prevent loss or theft of data or even disclosure of the data to persons not entitled to receive it.
PIPEDA does not impose any specific safeguard or process designed to protect personal data.
Organizations must consider the nature of the data in their possession, the sensitivity of the data and how the data can be used to define the most suitable standards for safeguarding the personal data.
Principle 8: Openness
Under the principle of openness, companies should make it easy for consumers to understand how their data is going to be used, why they are asked to give consent and how the company is going to protect their data.
The more you can convey your message in simple terms that all can understand the more your policy and message will be effective.
Principle 9: Individual Access
Individual access means that individuals should be able to access their personal information used by a company.
At any point in time, a consumer can demand from a company to provide access or give a copy of all the data held about them.
By being able to access their information, consumers can validate if the data collected by the company is consistent with what they consented to initially, correct any inaccurate information or take any other measures authorized by law.
Principle 10: Challenging Compliance
The tenth principle is allowing consumers to challenge a company’s compliance with PIPEDA or file a privacy complaint and expect a response.
This principle requires that companies offer consumers the possibility to challenge the manner by which they collect, use and disclose consumer data.
As such, organizations should provide a process to allow consumers to file a complaint with them and ensure that all complaints are adequately investigated and addressed.
Objective of the PIPEDA principles
By adopting the Personal Information Protection and Economic Documents Act, the Government Canada’s objective was to enhance the trust in the digital economy.
Right from the early days, PIPEDA’s intended purpose was:
to establish, in an era in which technology increasingly facilitates the circulation and exchange of information, rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.
The Canadian government’s objective is to adopt privacy laws and standards to remain interoperable with leading jurisdictions in the privacy space such as Europe and the United States.
How to comply with the PIPEDA principles
To comply with the PIPEDA principles, organizations can adopt the following procedures:
- Appoint a privacy officer responsible for the privacy compliance within the organization
- Identify the privacy legislation applicable to the company
- Understand the ten privacy principles under PIPEDA
- Determine the privacy philosophy of the organization and risk tolerance
- Perform a privacy assessment to evaluate the organization’s current privacy practices
- Identify opportunities to address privacy compliance gaps
- Develop privacy work plan to comply with the privacy legislation
- Develop procedures and policies relating to data privacy
- Develop procedures allowing consumers and individuals from accessing their data
- Develop proper guidelines and policies with regards to your website, email use, security, data privacy and data protection
- Ensure that all company stakeholders understand the privacy laws, company policies and procedures
- Develop a training program on privacy
- Develop appropriate controls and review procedures
- Communicate all privacy updates and policies to the organization
This checklist is to help you get started.
Depending on the nature and sensitivity of the personal data your organization collects, your organization must properly evaluate its compliance with PIPEDA and close any compliance gaps to the extent possible.
Purposes that do not comply with the fair information principles
To better understand the PIPEDA fair information principles, it may be useful to cover some personal data collection and use purposes that are not considered appropriate under PIPEDA.
Here are some scenarios:
- Collecting and using personal information for unlawful purposes
- Profiling or categorizing individuals leading to unfair, unethical or discriminatory practices
- Using and collecting personal information that can cause harm to someone
- Publishing personal content and accusing someone to have published that content
- Demanding access to an individual’s private account or social media profile for screening
- Performing surveillance using a personal mobile device by recording audio or video
As you can see, in most cases, common sense can help guide organizations define what is a proper and legitimate purpose for collecting and using personal information.
When the purpose does not fit well with the PIPEDA principles, organizations must carefully reflect on how to handle and address the situation.
Online privacy and the protection of our personal information is paramount for consumer trust and confidence in online transactions and activity.
We navigate online websites and share a lot of information over the web.
Our expectation is that our information be used only for the purpose that it was shared and nothing else.
Another expectation is that we are informed as to what information is collected about us and how companies use our information.
In many cases, defining a legitimate purpose for collecting and using personal information is clear.
In other cases, it may be more of a grey area.
To help companies and organizations make privacy law decisions, PIPEDA, Canada’s main privacy law, has identified ten principles that should guide companies in making decisions about the collection, use and disclosure of personal information.
These principles are:
- Identifying Purposes
- Limiting Collection
- Limiting Use, Disclosure and Retention
- Individual Access
- Challenging Compliance
For any personal information collected, companies must be mindful of why they are collecting the personal data, how they will make use of it, how to safeguard it and so on.
The above principles must be observed to demonstrate compliance in the manner personal data was handled in an organization operating in Canada.
We hope this article was useful in presenting to you the 10 principles of fair information.
We would love to hear from you if you have any comments on these principles and how you’ve seen them in action.
Drop us a comment!