What is PIPEDA Compliance? Understanding Canadian Data Privacy Law

What is PIPEDA and PIPEDA Compliance?

PIPEDA, or Personal Information Protection Electronic Documents Act, is a Canadian data privacy law that governs how private sector organizations collect, use, and disclose personal information in order to carry out their business. In general, organizations covered by PIPEDA need to obtain an individual’s consent when they collect, use, or disclose that individual’s personal information (PI). That same individual can also challenge the accuracy of the information. 

PIPEDA compliance requires a deep understanding of the 10 fair information principles. While we will dive into these principles in greater detail, the overall theme is that individuals:

• Must give consent for use of their personal information.
• Can access it.
• Can correct it. 
• Know it will be safeguarded. 

What is Personal Information Under PIPEDA?

Categories of data considered personal information under PIPEDA include:

• Age, name, ID number, financial data
• Race, nationality or ethnicity
• Blood type
• DNA
• Marital status
• Opinions, assessments, comments, social status, disciplinary actions
• Medical, education and employment records
• Social insurance number or driver’s license
• Employee files, credit history and loan details

Who Needs to Comply With PIPEDA?

PIPEDA applies to the following:

• Organizations that collect, use or disclose personal information for commercial purposes.
• Foreign organizations that collect, use or disclose personal information of Canadian citizens for purposes deemed “commercial.”
• The situation does not fall under an exemption.

What is a commercial activity? The PIPEDA legislative definition is:

“Any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.”

Essentially, it is the activity in which you are using the information that needs to be commercial in order to fall under Canadian data privacy law, not the information itself. 

You are exempted from PIPEDA compliance if you are any of the following:

• A federal government organization listed under the Privacy Act.
• A provincial and territorial government.
• A not-for-profit group, political party, political association, or charity group.
• A hospital, school, university, or municipality.

Additionally, the exemption can depend on where you’re handling the personal information. You may be exempt from PIPEDA if your province has its own privacy legislation.

For example:

• Quebec
• Alberta
• British Columbia

Lastly, an individual may be exempt from PIPEDA if they are only collecting personal information for solely personal purposes – for example collecting email addresses to send out Thank You letters. An organization is exempt from PIPEDA if it is collecting personal information for “journalist, artistic, or literary purposes.”

Requirements of PIPEDA Compliance 

There are several steps that need to be followed in order to ensure PIPEDA compliance. This includes:

Receiving an individual’s consent before handling information. This consent needs to be explicit and if you decide to use the information for a purpose different than first intended, you need to receive consent again. 

Allowing the individual to see any personal information you have about them if they ask. You must also correct any information if they claim it is inaccurate. 

Sufficiently safeguarding the information against being used for any purpose without consent or falling into someone else’s hands. You must also ensure the individual is aware of these safeguards in place.

Principles of PIPEDA

• Accountability: Organizations are responsible for any personal information they have obtained. They must appoint someone to be accountable for its compliance under the fair information principles. 
• Identifying Purposes: The purpose in which the organization intends to use one’s personal information must be identified by the organization at the time of the collection. 
• Consent: Consent of the individual is required for the collection, use, or disclosure of personal information. 
• Limiting Collection: The collection of personal information must be limited to what is needed for the purposes clearly identified by the organization. 
• Limiting Use, Disclosure, and Retention: Personal information can only be used or disclosed for the purposes in which it was collected unless the individual gives consent otherwise. The personal information can only be kept for as long as required to serve those purposes. 
• Accuracy: Personal information must be complete, accurate, and as up-to-date as possible in order to satisfy the purposes for which it is intended to be used. 
• Safeguards: Personal information must be protected by appropriate security measures relative to the sensitivity of the information collected. 
• Openness: Organizations need to be transparent about their policies and practices regarding the management of personal information and have this information be publicly and readily available. 
• Individual Access: Upon request, an individual must be informed of the existence, use, and disclosure of their personal information and allowed access to that information. This individual can challenge the accuracy and completeness of the information and ask to have it amended. 
• Challenging Compliance: An individual is able to challenge an organization’s compliance to the above principles. This should be addressed to the person accountable for the organization’s compliance with PIPEDA, typically the Chief Privacy Officer.

Checklist to Become PIPEDA Compliant

In order to ensure your company is doing everything right, we recommend following this PIPEDA compliance checklist:

1. Understand whether or not PIPEDA affects you. If you’re handling PI for commercial activity in Canada the answer is most likely yes.
2. Understand the key requirements of PIPEDA. 
3. Designate someone in your organization as responsible for PIPEDA compliance.
4. Develop clear procedures and policies for your organization in order to ensure PIPEDA requirements.
5. Have a Privacy Policy that discloses your procedures and policies to consumers.
6. Keep records of any personal information you’ve collected, who you’ve received consent from, how you plan on using the information, and when you’ll dispose of it.
7. Clearly communicate to individuals how you will be handling their information and how they can access and correct it.

The Role of Data Discovery 

Companies are facing immense challenges in obeying compliance laws like PIPEDA while still leveraging data legally to boost business growth. It’s impossible for businesses to obey PIPEDA requirements and ensure compliance without precise data discovery. 

Data discovery provides solutions to questions like:

• What personal and sensitive data does my company possess?
• Where is the data stored?
• Why was the data collected?
• How is the data being used?

By incorporating data discovery tools, your company can quickly and proactively locate, track, and trace data, whether it’s stored on servers, desktops, in email and databases, on prem, and in the cloud.  

The best current data discovery tools will also keep your company PIPEDA compliant and prepared for any future compliance regulations. Compliance software has built-in intelligence that accounts for regulations like PIPEDA and ensures that you always know where your data resides and provides automated efforts to help identify personal and sensitive data exposed in a breach. 

Other Common PIPEDA Compliance FAQs

What Consumer Rights Are Protected by PIPEDA?

PIPEDA grants consumers the right to:

• Know the purposes a business is collecting, using, or sharing its information.
• Expect organizations to gather, process, or share information with accountability and not for any other reason other than what they consented to.
• Access their personal data maintained by a company without restrictions and make modifications where needed.
• File complaints about a company’s use of their data if they sense that a business is violating their privacy.
• Expect that their personal information is precise, complete, and updated at all times.

What Happens if a Breach of PIPEDA Occurs?

There are a number of outcomes that can occur if there is an alleged breach. 

Here are some of the most common:

1. “Addresses, closed at intake” outcome: You and the complainant resolve the issue yourselves without the help of a dedicated officer.
2. “Early resolution” outcome: You reach a resolution with the help of a dedicated officer from the Office of The Privacy Commissioner.
3. The “Investigation” stage: This can end with the Office of the Privacy Commissioner issuing a report of findings and recommendation of how to move forward. However, if you choose not to follow the recommendations, the case could continue to federal court where they can legally mandate that you do any or all of the following:
   • Publish a notice confirming you’ve made these changes.
   • Change your practices to comply with PIPEDA.
   • Pay damages to the person who put forth the complaint. 

What Are the Penalties For Non-Compliance?

Non-compliance fines could be up to $100,000 for companies who don’t meet PIPEDA requirements. 

Related Articles:

• PIPEDA Compliance
• Canada Data Privacy Law: PIPEDA

Guarantee your PIPEDA data protection by contacting Ground Labs, a data solutions company entirely devoted to helping organizations fulfil compliance standards.