Canadian Federal Law Personal Information Protection and Electronic Documents Act
The Canadian Federal Law of Personal Information Protection and Electronic Documents Act (PIPEDA) is a law protecting data privacy. It governs and lays down the regulatory requirements for private organizations that collect, use and share customers’/clients’ personal information. The PIPEDA dictates 10 principles governing how businesses in Canada can collect, use, disclose or allow access to personal information.
The PIPEDA came into effect as a law in April 2000, intending to increase consumers’ trust in e-commerce. Parts of the PIPEDA are reviewed by the Parliament every 5 years. Since its inception, the law has expanded to cover more industries like banking, health, broadcasting, etc.
As the Canadian counterpart of the General Data Protection Regulation (GDPR) of the European Union, there are some similarities between the two regulatory Acts. Under the PIPEDA too, the rights to data privacy held by individuals and the notification requirements for businesses are nearly consistent with Canada’s trading partners, the EU.
How Does PIPEDA Affect My Business?
If you are running a private enterprise in Canada that collects personal information during its day-to-day commercial activity, your business is subject to compliance with the PIPEDA.
Personal information under the PIPEDA includes
- General information like name, age, ID numbers, income, blood group, ethnic origin
- Subjective information like comments, opinions, evaluations, social status, disciplinary actions
- Records such as credit reports, loan records, medical records, employee files, legal records
The PIPEDA regulates the way you collect, use and disclose this personal information based on the following 10 principles.
Accountability – An organization is responsible for the personal information it holds and must appoint someone to be accountable for compliance with the data privacy principles.
Identifying purposes – The purpose for which personal information is being collected must be identified and disclosed by the business before or at the time of collection itself.
Consent – The meaningful consent of an individual must be taken before collecting, using, or disclosing their personal information.
Limiting collection – The collection of personal information must be limited to what is necessary for the purpose stated by the organization.
Limiting use, disclosure, and retention – Unless required by law or with the individual’s consent, the personal information must be used and disclosed only for the purpose it was collected. The information must be retained only for as long as the purpose requires it.
Accuracy – The personal information must be accurate to serve the purpose for which it is collected.
Safeguards – There should be appropriate security to protect personal information according to the sensitivity of the information.
Openness – The organization must disclose its privacy policies and practices, publicly and readily available.
Individual access – If requested, an individual must be given access to their personal information held by the organization. Individuals can also challenge the accuracy and completeness of the information and have it amended as appropriate.
Challenging compliance – An individual has the right to challenge an organization’s compliance with the PIPEDA principles.
Rights of individuals
The 9th and 10th Principles of the PIPEDA lays out the rights of individuals under the law. Individuals have the right to access their information held by a business and challenge its accuracy., they can also have it amended if they find the information to be inaccurate.
Individuals may also challenge an organization’s compliance with PIPEDA. The challenge should be addressed to the person appointed to be accountable by the organization. In most cases, this is usually the chief Privacy Officer of an organization.
Cross border transfers
Though PIPEDA governs Canadian businesses only, any business that handles personal information in Canada and has commercial activity across provincial/ national boundaries is subject to compliance with PIPEDA. In this case, it does not matter where the origin of the business is. Technology can help achieve and maintain compliance with the PIPEDA and other global data regulations.
How the PIPEDA applies in Canada
Any Federally governed organization that conducts commercial activity in Canada is liable to comply with the PIPEDA.
British Columbia, Alberta, Quebec
British Columbia, Alberta, and Quebec are, however, exempted from the PIPEDA as these provinces have their own privacy laws for private-sector organizations, which are considered to be substantially similar to the PIPEDA.
Data security and compliance with privacy laws are paramount for businesses today. Leaving aside the legal implications, the mere fact that consumer trust in an organization should be enough to drive businesses towards compliance and transparency. Organisations with global operations, therefore, processing data under multiple regulations may benefit from placing their compliance with a global data privacy managed service provider.