PIPEDA is an acronym for a Canadian federal statute: the Personal Information Protection and Electronic Document Act.
PIPEDA is Canada’s main data privacy and protection law intended to protect personal information within commercial activities.
PIPEDA was initially introduced as a Bill in 1998 (Bill C-54), re-introduced in October 1999 (Bill C-6) and ultimately received the Royal Assent by the federal government on April 13, 2000, with the objective to enhance the overall trust in electronic businesses and industries.
PIPEDA came into effect in three stages:
- January 1, 2001, it started applying to federal works, undertakings and businesses
- January 1, 2002, to the personal health information described under phase 1 of the law
- January 1, 2004, to all organizations collecting, using and disclosing personal information in the course of their commercial activity
The objective of this legislation is to find the right balance between the need for businesses to collect, use and disclose personal information for legitimate business purposes and an individual’s right to privacy on their personal information.
Should an individual feel that a company has misused their personal information or did not get their consent prior to the collection, use and disclosure of the personal information, they can file a complaint with the Privacy Commissioner who has the power to investigate and sanction organizations violating PIPEDA.
PIPEDA also outlines 10 fair information principles designed to guide organizations to comply with their data privacy and protection obligations.
This federal statute will apply to organizations collecting, using and disclosing personal information in the course of their business, with some notable exceptions.
In Canada, the provinces of Quebec, British-Columbia and Alberta have each their privacy legislation deemed substantially similar to PIPEDA.
As a result, when the provincial privacy laws of these provinces apply, PIPEDA will not apply.
PIPEDA does not apply to:
- Organizations subject to the Privacy Act
- When personal information is collected for personal use
- When personal information is collected for journalistic, artistic or literary purposes
- The name, title, business address and telephone number of a company employee
The 10 fair information principles are:
- Identifying purpose
- Limiting collection
- Limiting use, disclosure and retention
- Individual access
- Challenging compliance