Canada Data Privacy Law: PIPEDA Requirements

Canada Data Privacy Laws: Some Background

In this day and age, where computer and electronic usage are constant, and the disclosure of personal information is the norm, it seems like every country has begun to make data privacy a greater priority. While many data privacy laws have been enacted recently – Europe’s GDPR of 2018, Brazil’s LGPD of 2020, and California’s Consumer Privacy Act (CCPA) of 2020 – there is one country that has been at the forefront of privacy rights since as early as 1983 – Canada.

There are a number of laws in Canada that relate to the privacy rights of its individuals, the two most well-known being The Privacy Act of 1983 and the Personal Information Protection and Electronic Documents Act (PIPEDA).

The Privacy Act is a law that sets out your privacy rights in relation to the interactions you have with the federal government and how they collect, use, and disclose your personal information. Not only does the Privacy Act ensure that your personal information is being protected, but it gives you the right to request access to the information they have about you. About a decade later, conversation began moving beyond just data privacy in relation to the federal government. Organizations, corporations, and their customers began voicing concerns about how personal information was being collected and protected. Enter PIPEDA.

What is PIPEDA?

Succeeding the Privacy Act of 1983, The Parliament of Canada enacted The Personal Information Protection Electronic Documents Act, better known as PIPEDA. The goal of this act is to balance the rights of privacy of individuals and their sensitive personal data while taking into account the need of organizations to collect, use, or disclose personal information in order to carry out their business. 

As of May 2019, organizations with obligations who have to comply with PIPEDA must always obtain an individual’s consent when they collect, use, or disclose that individual’s personal information. Individuals also have the right to access their personal information upon request, challenge its accuracy, or request that it be updated. 

Lastly, personal information can only be used for the purpose in which it was collected. In the case that an organization wants to use it for another purpose, consent must be obtained again. It is also expected that organizations have safeguards or tools put in place to protect this sensitive information. 

The 10 Principles of PIPEDA

Businesses who are subject to PIPEDA are asked to follow what is referred to as the 10 fair information principles which are as follows:

• Accountability: An organization is responsible for the personal information that is under its control. They must appoint a Privacy Officer whose purpose is to ensure compliance with PIPEDA.
• Identifying Purposes: Organizations must identify the purposes for which personal data is being collected before or at the time of collection.
• Consent: Individuals’ consent is required for the collection, use, or disclosure of personal information. 
• Limiting Collection: Information must be collected by lawful and fair means and must be limited to the data needed for the purpose identified by the organization.
• Limiting Use, Disclosure, and Retention: Personal information can only be used or disclosed for the purposes in which it was collected and must be kept only for the duration required to serve these purposes – unless the individual consents otherwise or it is required by law. 
• Accuracy: Personal information must be accurate, complete, and as up-to-date as possible in order to properly fulfill the purposes for which it is to be used. 
• Safeguards: Personal information must be securely protected relative to the sensitivity of the information. 
• Openness: Organizations must be open about their policies and practices relating to the management of personal data in a format that is understandable and easily available to individuals. 
• Individual Access: Upon request, an individual must be informed of the existence, use, and disclosure of their personal information and be given access to it. They also have the right to challenge the accuracy of that information and have it amended as needed. 
• Challenging Compliance: An individual can challenge an organization’s compliance with PIPEDA’s principles and should address their challenge to the company’s Privacy Officer who’s in charge of PIPEDA compliance.

Who Does PIPEDA Apply To?

Generally, PIPEDA applies to private sector organizations that are not federally regulated and conduct business in:

• Manitoba
• New Brunswick
• Newfoundland and Labrador
• Northwest Territories
• Nova Scotia
• Nunavut
• Ontario
• Prince Edward Island
• Saskatchewan
• Yukon

PIPEDA also applies to commercial organizations that use or disclose personal information in the course of commercial activity. Federally-regulated businesses such as airlines, banks, and telecommunications also are subject to PIPEDA. 

Organizations that are exempted, include not-for-profit organization, political party, educational institution, or hospital, as long as they don’t partake in commercial activities, are exempt. For example, an organization that does fundraising and compiling lists of donors and members for the sole purpose of communication. 

How Can I Maintain Compliance Under PIPEDA 

Failure to maintain compliance under PIPEDA can lead to hefty fines, loss of trust from your customers, and risking the integrity of your business. While the process of ensuring compliance and following each of the 10 fair information principles can seem daunting, it’s important to take the process one step at a time. And that begins with having awareness of where your organization’s personal data resides.

The best way to achieve this is with Ground Labs’ data discovery solution, Enterprise Recon. Ground Labs makes finding and remediating sensitive data simple and allows your organization to start the process of maintaining PIPEDA on the right foot. Powered by GLASS™ technology, Enterprise Recon enables the quickest and most accurate data discovery across the broadest range of platforms – ensuring that you always know where your data resides and that your Canadian business can continue to flourish and keep personal and sensitive data secure.

Ready to learn more about how to maintain PIPEDA compliance with Enterprise Recon? Schedule a demo today.

Related Resources:

• What are PII Scanning & Discovery Tools 
• What are the GDPR Guidelines? Everything You Need to Know