Simplify Privacy and Data Protection for PIPEDA Compliance

The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian law outlining data privacy and regulations organizations are required to follow. PIPEDA governs how private sector organizations collect, use, and disclose personal information in the course of commercial business.

PIPEDA states that any collection, use or disclosure of personal information must only be for purposes that a reasonable person would consider appropriate in the circumstances.

According to Office of the Privacy Commissioner of Canada’s Privacy Guide for Businesses “All businesses that operate in Canada and handle personal information that crosses provincial or national borders in the course of commercial activities are subject to PIPEDA, regardless of the province or territory in which they are based (including provinces with substantially similar legislation).” The privacy guide continues to state, “PIPEDA applies to private-sector organizations across Canada that collect, use or disclose personal information in the course of a commercial activity.”

The Office of the Privacy Commissioner of Canada (OPC) oversees compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA), which sets out the privacy obligations organizations must adhere to when handling personal information.

Complaints under PIPEDA can be initiated by an individual or the Commissioner. When an individual files a complaint under PIPEDA, the OPC first determines whether the matter is covered by the Act. Once a complaint is accepted, the OPC begins an investigation. When appropriate for the privacy issue in question, efforts are made to resolve complaints in the early stages of the investigation process (i.e. early resolution).

PIPEDA’s 10 fair information principles form the ground rules for the collection, use and disclosure of personal information, as well as for providing access to personal information. They give individuals control over how their personal information is handled in the private sector.

The OPC has determined that the following purposes would generally be considered inappropriate by a reasonable person (i.e., no-go zones):

Collecting, using or disclosing personal information in ways that are otherwise unlawful
Profiling or categorizing individuals in a way that leads to unfair, unethical or discriminatory treatment contrary to human rights law
Collecting, using or disclosing personal information for purposes that are known or likely to cause significant harm to the individual
Publishing personal information with the intent of charging people for its removal
requiring passwords to social media accounts for the purpose of employee screening
Conducting surveillance on an individual using their own device’s audio or video functions.

Principle 1 – Accountability details the responsibility for personal information under its control and the organization must appoint someone to be accountable

Principle 2 – Identifying Purposes explains the purposes for which the personal information is being collected must be identified by the organization before or at the time of collection

Principle 3 – Consent of the individual are required for the collection, use, or disclosure of personal information

Principle 4 – Limiting Collection of personal information must be limited to that which is needed for the purposes identified by the organization

Principle 5 – Limiting Use, Disclosure, and Retention unless the individual consents otherwise or it is required by law, personal information can only be used, disclosed, or retained for the purposes for which it was collected

Principle 6 – Accuracy explains personal information must be as accurate, complete, and up-to-date as possible

Principle 7 – Safeguards of personal information must be protected by appropriate security relative to the sensitivity of the information

Principle 8 – Openness explains an organization must provide public detailed information about its policies and practices relating to the management of personal information

Principle 9 – Individual Access upon request, an individual must be informed of the existence, use, disclosure, and ability to amend their personal information and be given access to that information.

Principle 10 – Challenging Compliance an individual shall be able to challenge an organization’s compliance with the above principles. Their challenge should be addressed to the person accountable for the organization’s compliance with PIPEDA, usually their Chief Privacy Officer

PIPEDA may be easy to follow, but the fines for noncompliance are very steep and can cost up to $100,000 for each violation.