Canada is one of the countries lucky enough to have a federal privacy law that covers private sector organizations. This gives its residents greater rights when it comes to data privacy, as well as placing new requirements on relevant organizations.
In this guide, we’ll take you through the basics of PIPEDA. We’ll cover what it means, who needs to comply with it, and what your responsibilities are if it applies to your business. We’ll also share a user-friendly tool to help you stay compliant with PIPEDA and other privacy laws.
What is PIPEDA?
The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada’s federal law that governs how private sector companies interact with Canadians’ personal data. Think of PIPEDA as Canada’s equivalent to the EU’s well-known General Data Protection Regulation (GDPR).
Since coming into law in 2000, this privacy legislation has given users new rights and controls over their personal information, and placed new responsibilities on organizations required to comply. PIPEDA requires private sector companies to take more care over how they handle personal information, and adhere to ten key principles. These principles cover how personal data is collected, used, and disclosed to others.
Who Needs to Comply With PIPEDA?
PIPEDA doesn’t apply to every organization based in Canada. Like most privacy legislations, there are tests to identify whether your organization needs to comply or not. With PIPEDA, this is very straightforward to understand.
PIPEDA applies in situations where both of the following apply:
- They collect, use, or share personal information
- Do so in the course of a commercial activity
In most cases, private sector organizations are likely to need to consider PIPEDA compliance as a necessity. Almost every private sector business collects, uses, and discloses personal information for a commercial activity as part of their daily transactions. This means you should be mindful of PIPEDA and understand how to comply with it.
Federally regulated organizations are also subject to the rules and responsibilities of PIPEDA — and these responsibilities extend to the data belonging to their employees. Banks, airports, telecommunications companies, and other federally regulated organizations, therefore, need to comply with PIPEDA.
Exceptions to PIPEDA Compliance
There are always some exceptions to the rules, and PIPEDA lists several exemptions for organizations and groups that are not covered by the legislation. These mostly cover federal organizations or organizations based in specific territories.
Examples of instances not covered by PIPEDA include:
- Personal information held by federal government organizations that’s already covered by the Privacy Act
- Nonprofits, charity organizations, and political parties and associations — unless being used in a commercial way outside their usual scope of activity
- Territorial and provincial governments and their agents
- An employee’s or business’ contact information used solely for the purpose of contacting them about their profession — e.g. title, business, email address
- The collection, use, or sharing of personal information for literary, artistic, or journalistic purposes
- Individuals that are collecting and using personal information for personal purposes only — for example to send birthday party invitations
While not always, hospitals, universities, schools, and municipalities are typically exempt from PIPEDA. This is because their activities and use of personal data is already covered by provincial laws.
PIPEDA also does not apply to most private sector activities in provinces which have their own privacy laws. The provincial privacy laws in Alberta, British Columbia, and Quebec have been deemed to be substantially similar enough to PIPEDA that the former applies. This is only in the case where information stays within those borders — for information that leaves these provinces, PIPEDA applies instead.
If you’re ever unsure about whether or not PIPEDA applies to your situation, it’s always best to get in touch with the Office of the Privacy Commissioner of Canada (OPC).
What’s Classed as Personal Information?
While most privacy laws generally use personal information to mean a similar group of data, it’s helpful to understand exactly how PIPEDA interprets the term. That way, you’re not caught out by your own personal idea of what personal data means.
Under PIPEDA, personal information covers any “factual or subjective information, recorded or not, about an identifiable individual.” What’s interesting here is that the definition includes subjective information — which can be as simple as an opinion shared about an individual.
Examples of personal information covered by PIPEDA include:
- Name, age, ethnic origin, nationality, marital status
- Income, credit records, loan records
- Blood type, DNA, personal health information records
- Opinions, disciplinary actions, and assessment records
- ID numbers, driver’s license number, social insurance number
As you can see from the list above, PIPEDA covers a mix of personal information — including sensitive data like health records and credit records. That’s why it’s so crucial that organizations which PIPEDA applies to take great care to secure this data, and to inform users over how it’s collected, used, and shared.
What’s Classed as Commercial Activity?
Simply collecting, using, or sharing personal information isn’t enough to make an organization subject to PIPEDA. They also need to do this in the course of commercial activities.
PIPEDA defines commercial activity as:
“Any particular transaction, act, or conduct, or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.”
This means that PIPEDA not only covers obviously commercial activities like buying and selling goods and services but also the less obvious — like leasing a membership list. It’s also key to remember that the commercial aspect applies to how you intend to or do collect, use, or disclose the personal information — not the nature of the information itself.
The Principles of PIPEDA and Your Responsibilities
PIPEDA sets out ten fair information principles that cover how organizations should collect, use, and disclose personal information if they’re subject to the privacy legislation. These principles not only cover an organization’s PIPEDA requirements but help you to understand how they protect users’ rights too.
This principle states that you must take responsibility for the personal information that you hold. You should protect this information while it’s stored with you, and when it’s transferred to a third party for processing.
Organizations that fall under PIPEDA also need to appoint someone to be responsible for PIPEDA compliance within their company. This role is similar to that of a data protection officer — someone that oversees compliance and data privacy takes steps to prevent non-compliance, and educates others about the importance of data security and privacy.
The best way to satisfy this principle is to have a robust privacy management program. Undertake a privacy impact assessment and understand how your organization currently handles personal information, and how it should in the future. Develop simple policies and processes that help you to stay compliant — for example, record consent and purposes of collection, ensure data accuracy, and introduce security measures. It all starts with taking a closer look at how you collect, use, and disclose personal data, and how you can demonstrate accountability.
2. Identifying Purposes
PIPEDA requires you to identify and state the purposes for data collection. Before you move to collect any personal information from a user, you first need to understand exactly what information you need to fulfil these purposes. This means you’re only collecting relevant personal data.
Organizations that fall under PIPEDA are generally required to collect “meaningful consent” for any collection, use, or sharing of personal information. Meaningful consent is where someone understands exactly what they’re consenting to and the consequences of that — so it needs to be presented in a straightforward, easy-to-understand way.
Sometimes consent is required for an activity or transaction to take place. In cases where it’s not essential, people must be given the choice over whether they want to agree to data collection and processing or not.
There’s some flexibility over exactly how you obtain consent. You should be mindful of the sensitivity of personal data, and seek to gain explicit consent for the collection and use of this personal information.
4. Limiting Collection
Under this principle, organizations should only seek to collect the personal information they need to fulfil a defined, legitimate purpose. This discourages organizations from collecting irrelevant personal information and helps users keep greater control over how much of their personal data is out there in the world.
This principle also sets out a requirement for organizations to collect information by “fair and lawful means.” It’s a statement that helps protect users against their information being collected for purposes other than what they thought — through the use of misdirection or deception.
5. Limiting Use, Disclosure, and Retention
Following on from the requirement to limit data collection to only what’s necessary, this principle states that this information should then only be used for the intended purposes. This prevents organizations from collecting one piece of personal information for one purpose, then reusing it for another without adequate consent. Should you wish to do so, you’d need to gain fresh consent for the new purpose.
This principle also places a requirement on organizations to only keep personal information for as long as is required to fulfil its purpose. Organizations shouldn’t hold personal data indefinitely and should have minimum and maximum retention periods in place that match the purpose.
When personal information is no longer required, organizations should dispose of it safely. This includes destroying personal data fully from devices before they are discarded or disposed of, and that any physical records are properly shredded or destroyed. Not only does this safeguard user data, but it helps to protect against potential privacy breaches.
Organizations that collect, use, and disclose personal information should make sure that the data they hold is accurate, up to date, and as complete as possible. This is to prevent organizations from using the wrong information when making decisions — for example about suitability for a job or loan.
It can be challenging to know whether a piece of information is out of date or not. To make this easier, consider recording the date of collection or update alongside personal information. This can help you decide whether you may need to review its suitability for decision-making or not.
Under PIPEDA, organizations are required to safeguard personal information. This means that all personal information should be protected against threats like loss or theft. It should also be protected against unauthorized access, use, copying, disclosure, or modification.
While PIPEDA notes that you should safeguard personal information, there are no explicit data protection methods that are required or recommended. Data security is a responsibility that falls on your organization, as you’re better placed to understand your unique ways of operating, risks, and threats.
Should a data breach occur, there are several steps an organization must take. You should report any breaches that represent a “real risk of significant harm” to the OPC and notify any affected individuals and relevant third parties. You should also keep records of all breaches — even those that don’t pose significant risk.
Every user should be able to easily understand exactly what PIPEDA means to them, and how an organization wants to collect, use, or disclose their personal information. That’s why there’s a principle of openness that states your information management practices should be readily available and clear to understand.
- Contact details for the individual responsible for privacy compliance and responding to data requests within your organization — including either their name or title
- The types of personal information collected
- Your purposes for collecting, using, and disclosing this personal information
- Details about which personal information is disclosed to third parties, and for what purpose
- The process for a user to access their personal information
- The process for a user to make a complaint
This is just a starting point, as you may wish to go into further detail about your approach to data privacy and how you manage personal information. Whichever information you choose to share beyond this, stick to this principle’s requirement for it to be in a clear, easy-to-understand format.
9. Individual Access
This principle is one of the simplest, as it gives users the right to access their personal information. Alongside this, users also gain the right to request amendments to the personal data you hold — or to challenge the accuracy of it at any time.
Under this principle, users can make a request for organizations for the disclosure of personal information relating to them. You need to confirm which information you hold, how it was obtained, how it’s used, and with which organizations it has been shared.
There’s a 30 day response time limit for these access requests, although it may be extended in special circumstances. There should be no charge or a minimal relevant cost to users to exercise this right, with the charge clearly explained before the start of the process if there is one. Keeping track of response deadlines can be made easier with the help of a data privacy management tool.
If someone makes a request for their personal information to be updated or amended, this should be respected and actioned. If it’s relevant, this updated information should then be shared with third parties who already hold it so they can also ensure their data is accurate.
10. Challenging Compliance
There may be cases where a user feels an organization hasn’t or isn’t complying with the key principles set out in PIPEDA. This principle sets out the right for individuals to challenge whether an organization is compliant or not, by making a complaint or challenge to the person responsible for compliance at the organization.
What Happens If You Don’t Comply With PIPEDA
In cases of non-compliance, a user may wish to make a complaint. Complaints can also be made by the Privacy Commissioner if they feel there are reasonable grounds to investigate. If it’s decided that the activity or noncompliance is covered by the Act, the process will proceed.
The approach taken by the Commissioner and OPC is to seek a cooperative resolution. The goal is to resolve the issue for the user in a satisfactory way, directly with the organization if possible.
If a resolution can’t be achieved with or without the input of OPC at this stage, the complaint will move into an investigation stage. Here, the OPC can make recommendations to the organization. While these aren’t legally binding if they’re ignored the OPC may choose to progress the matter even further to the federal court.
For complaints for non-compliance that reach federal court, further remedies are available. This means an organization could be forced to correct its practices to be compliant, be required to publish a notice of action taken against them, or pay damages to the complainant — including for any humiliation caused.
For a closer look at how the enforcement process happens, take a look at this interactive infographic provided by the OPC.
Outside of the complaints process, organizations that are knowingly in breach of PIPEDA’s requirements can be subject to a fine. At present, this fine sits at $100,000 per violation. This figure is set to rise with the introduction of Canada’s proposed Consumer Privacy Protection Act, making it more important than ever for organizations to understand their responsibilities when it comes to data privacy.
An Easier Way to Stay PIPEDA Compliant
Data privacy is more relevant to users and consumers than ever before. Canada’s existing PIPEDA and proposed future privacy legislation means that you can’t avoid your responsibilities as a private sector organization that collects, uses, and discloses personal information.
The good news is, there’s a way to make being PIPEDA complaint easy. With Enzuzo, you can manage your data privacy practices from one place — making it simpler than ever to oversee and demonstrate compliance with privacy laws like PIPEDA, GDPR, CCPA, and more.
Manage Data Privacy Requests From One Dashboard
When a user wants to make a request to access their data or make amendments, you only have a set time frame in which to do this. Make sure you never miss a deadline again with the help of our data privacy portal.
From your privacy portal, you’ll be able to view active requests and receive notifications on upcoming deadlines. You can embed your data privacy request form within your website too — so requests automatically land in your dashboard for you to view, action, and track the progress of. You’ll also be able to generate reports with just one click that demonstrate your compliance with privacy regulations around the world — including PIPEDA.
Simplifying PIPEDA Compliance for Small Businesses
PIPEDA is one of the simpler privacy laws out there, with user rights and organization responsibilities set out clearly enough for most of us to understand. Still, even with all the information available, staying compliant is all down to how you operate your business.