PIPEDA – Personal Information Protection and Electronic Documents Act
What is the purpose of PIPEDA?
The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian law that requires covered organizations to obtain an individual’s consent when they collect, use, or disclose that individual’s personal information. It gives individuals the right to access their personal information held by an organization and to challenge the accuracy of that information. It also prohibits organizations from using personal information for purposes other than the purpose it was initially collected for. If an organization is going to use personal information outside of the original purpose of collection, they must obtain consent again. Further, PIPEDA requires organizations to put appropriate safeguards in place to protect PII.
The law defines a “commercial activity” as “any particular transaction, act, or conduct, or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.”
Under PIPEDA, “personal information” includes “any factual or subjective information, recorded or not, about an identifiable individual”. This includes information in any form, such as:
PIPEDA does not apply to certain categories of information, including:
What Types of Businesses Are Subject to PIPEDA?
PIPEDA applies to private sector organizations across Canada that collect, use, or disclose personal information in the course of a commercial activity. All federally regulated organizations that conduct business in Canada are always subject to PIPEDA, including:
PIPEDA applies to all companies operating in Canada regardless of where the company is based. For instance, a US website operator that collects personal information of Canadian residents would be subject to PIPEDA.
PIPEDA’s Key requirements
Businesses covered by PIPEDA must follow 10 fair information principles to protect personal information, which include:
Businesses must also appoint an employee to be responsible for their organization’s PIPEDA compliance, protect all personal information held by their organization, including any personal information they transfer to a third party for processing, and develop and implement information security policies and practices.
PIPEDA Enforcement and Penalties of Non-Compliance
The Office of the Privacy Commissioner of Canada (OPC) conducts independent investigations into the personal information handling practices of businesses subject to PIPEDA. Complaints can be initiated by individuals or the Privacy Commissioner.