Table of Contents
The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian federal privacy law that sets out the ground rules for how private sector organizations collect, use, and disclose personal information during commercial activities.
PIPEDA was created to balance individual privacy with an organization’s need for business data. The legislation was enacted in response to the increasing use of technology in the collection and exchange of personal information and to ensure that personal information is protected in a manner that is consistent with the European Union's data protection standards.
In this article, we'll take a look at PIPEDA compliance requirements and the steps you can take to stay ahead of this legislation. Let's dive in.
What Information Is Protected Under PIPEDA?
Broadly, any type of personal, identifiable information is protected under PIPEDA, from health information to demographic details. The most common types of data protected by PIPEDA include:
- Personal details like age, name, or blood type
- Race, nationality, or ethnicity
- Tracking information such as ID numbers, social security numbers, or driver’s license
- Financial data, credit history, or loan details
- Medical, education, and employment records
- Opinions and comments
Essentially, any information that can be used or combined to identify an individual is protected under PIPEDA.
Who Must Adhere to PIPEDA?
PIPEDA regulations apply to the following entities:
- Organizations that collect, use, or disclose personal information for commercial purposes
- Foreign organizations that collect, use, or disclose personal information of Canadian citizens for purposes deemed “commercial”
The distinction between commercial and non-commercial activities is key. Business use of technology has changed radically over the past few decades. Companies that used to stick to professional business channels now leverage customer outreach and marketing across social media, personal communication apps, and more. In other words, companies need to make sure that any activities deemed “commercial” in nature stay compliant with regulations.
Per PIPEDA itself, commercial activities are defined as “any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.”
Note that there are certain exemptions to PIPEDA that, while uncommon, may affect an organization’s compliance requirements.
A common example of an exempted use includes employee information that is used solely to establish or manage an employment agreement. Other exemptions apply to national security issues, law enforcement concerns, and publicly available information that does not include any sensitive personal details.
PIPEDA Compliance Requirements
PIPEDA outlines ten fair information principles that form the basis of compliance, each of which must be adhered to:
2. Identify Purposes
4. Limit Collection
5. Limit Use, Disclose, Retention
9. Individual Access
10. Challenging Compliance
We discuss these requirements in detail in our blog about the impact of PIPEDA.
How to Stay Compliant with PIPEDA
Data privacy is more relevant to users and consumers than ever before. Canada’s existing PIPEDA and proposed future privacy legislation means that you can’t avoid your responsibilities as a private sector organization that collects, uses, and discloses personal information.
PIPEDA compliance can become complex as a company grows, and some jurisdictions will have comparable legislation that further governs activities. Companies must be sure that they understand the regulations present in their own regions and take active steps to improve processes.
The above ten principles are the foundation of PIPEDA, but knowing the requirements is only the first step. Companies should have a systematic, structured process in place to organize data in accordance with these values. This is the only way to guarantee full regulatory compliance – both with PIPEDA and with future mandates that may become relevant.
Having said that, here are a few steps you can take to achieve PIPEDA compliance:
Invest in Data Governance
Your data governance includes everything your organization does to guarantee that data is private, accurate, secure, available, and usable. Data governance practices include things like actions your employees need to take as well as the technology that supports those actions. You need to have strong, efficient, effective data governance practices in place to avoid data breaches while you ensure consumer access to important information.
Have Robust Security Protocols
This one is simple. What security protocols do you have in place to protect against breaches? Are they reliable? Are you paying for a “Cadillac” service that’s not used to its full potential? Security applications, services, and support all serve as your first line of defense against bad actors. Yours need to be optimized for maximum impact.
Implement a Process to Respond to Data Breaches
You need to have a plan in place for when data breach incidents happen. They’re not pretty, and they’re even worse when they go unchecked. You can minimize negative consequences when you have a management plan ready to go, just in case.
Keep Employees Trained & Ready
There’s a good chance your employees work with important personal information daily if you’re an organization that’s required to comply with PIPEDA. Believe it or not, data breaches are usually traced back to a haphazard link click or file download from an employee email. That’s why it’s crucial to train your employees to recognize, avoid, and eliminate common data breach phishing tactics as well as how best to handle personal information during commercial transactions.
Always Keep Software & Devices Up to Date
Data privacy issues are just as often attributed to outdated technology that makes it easier for bad actors to gain access to your systems. Remember to download that update, upgrade your software, and optimize your collection methods where appropriate.
Stay Prepared for Audits
A recurring theme in any type of compliance discussion is that companies must keep all pertinent details organized and available for audits. In other words, every company needs an effective data discovery process to help them achieve ongoing compliance.
Data discovery platforms help organizations identify, classify, and monitor sensitive data. This information can then be used to ensure that data handling practices are in line with relevant regulations and standards, such as PIPEDA, GDPR, or any other relevant industry mandate.
With visibility into the type and location of sensitive data, organizations can implement appropriate security measures and apply the necessary restrictions to prevent unauthorized access or misuse. For organizations that seek help with compliance in their industries, these types of platforms can be the single biggest improvement to existing processes.
What Happens If You Don’t Comply With PIPEDA?
In cases of PIPEDA non-compliance, a user may wish to make a complaint. Complaints can also be made by the Privacy Commissioner if they feel there are reasonable grounds to investigate. If it’s decided that the activity or noncompliance is covered by the Act, the process will proceed.
The approach taken by the Commissioner and OPC is to seek a cooperative resolution. The goal is to resolve the issue for the user in a satisfactory way, directly with the organization if possible.
If a resolution can’t be achieved with or without the input of OPC at this stage, the complaint will move into an investigation stage. Here, the OPC can make recommendations to the organization. While these aren’t legally binding if they’re ignored the OPC may choose to progress the matter even further to the federal court.
For complaints for non-compliance that reach federal court, further remedies are available. This means an organization could be forced to correct its practices to be compliant, be required to publish a notice of action taken against them, or pay damages to the complainant — including for any humiliation caused.
For a closer look at how the enforcement process happens, take a look at this interactive infographic provided by the OPC.
Outside of the complaints process, organizations that are knowingly in breach of PIPEDA’s requirements can be subject to a fine. At present, this fine sits at $100,000 per violation. This figure is set to rise with the introduction of Canada’s proposed Consumer Privacy Protection Act, making it more important than ever for organizations to understand their responsibilities when it comes to data privacy.
Osman is the content lead at Enzuzo. He has a background in data privacy management via a two-year role at ExpressVPN and extensive freelance work with cybersecurity and blockchain companies. Osman also holds an MBA from the Toronto Metropolitan University.