What is PIPEDA?
The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian law that received Royal Assent on April 13, 2000, and came into force in stages, starting January 1, 2001. The law was fully enacted on January 1, 2004.
PIPEDA enables Canadian businesses to compete in the global digital economy while alleviating concerns about consumer privacy. The law must be reviewed every five years to ensure effective legislation and outcomes such as protecting personal information.
Personal information is any subjective or factual information about an identifiable individual. It contains elements like:
- Personal health information (PHI).
- Credit and loan records.
- Subjective information like opinions, evaluations, comments, social status and disciplinary actions.
- Direct identifiers such as name, address, birthday (age), ID numbers, ethnic origin and blood type.
Compliance is Required!
- Customer names, credit card numbers, private information.
- Employee details and file, income credit records, loan records and medical records.
- Existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs).
PIPEDA sets out organizations’ responsibilities for the 10 fair information principles listed below. It outlines how to fulfill these responsibilities and offers some tips.
Principle 1 - Accountability An organization is responsible for personal information under its control. It must appoint someone to be accountable for its compliance with these fair information principles.
Principle 2 - Identifying Purposes The purposes for which the personal information is being collected must be identified by the organization before or at the time of collection.
Principle 3 - Consent The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
Principle 4 - Limiting Collection The collection of personal information must be limited to that which is needed for the purposes identified by the organization. Information must be collected by fair and lawful means.
Principle 5 - Limiting Use, Disclosure, and Retention Unless the individual consents otherwise or it is required by law, personal information can only be used or disclosed for the purposes for which it was collected. Personal information must only be kept as long as required to serve those purposes.
Principle 6 - Accuracy Personal information must be as accurate, complete, and up-to-date as possible in order to properly satisfy the purposes for which it is to be used.
Principle 7 - Safeguards Personal information must be protected by appropriate security relative to the sensitivity of the information.
Principle 8 - Openness An organization must make detailed information about its policies and practices relating to the management of personal information publicly and readily available.
Principle 9 - Individual Access Upon request, an individual must be informed of the existence, use, and disclosure of their personal information and be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
Principle 10 - Challenging Compliance An individual shall be able to challenge an organization’s compliance with the above principles. Their challenge should be addressed to the person accountable for the organization’s compliance with PIPEDA, usually their Chief Privacy Officer.
Our Compliance-as-a-Service (CaaS) solution can help your business achieve, maintain and demonstrate its data security compliance requirements. Let us show you how you can simplify your compliance processes and run your business without any regulatory glitches.