PIPEDA - Personal Information Protection and Electronic Documents Act

What is the purpose of PIPEDA?

The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian law that requires covered organizations to obtain an individual’s consent when they collect, use, or disclose that individual’s personal information. It gives individuals the right to access their personal information held by an organization and to challenge the accuracy of that information. It also prohibits organizations from using personal information for purposes other than the purpose it was initially collected for. If an organization is going to use personal information outside of the original purpose of collection, they must obtain consent again. Further, PIPEDA requires organizations to put appropriate safeguards in place to protect PII.

The law defines a “commercial activity” as “any particular transaction, act, or conduct, or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.”

Under PIPEDA, “personal information” includes “any factual or subjective information, recorded or not, about an identifiable individual”. This includes information in any form, such as:

  • Age, name, ID numbers, income, ethnic origin, or blood type
  • Opinions, evaluations, comments, social status, or disciplinary actions
  • Employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs)
  • IP address
  • Cookie data
  • Device identifiers collected by mobile apps

PIPEDA does not apply to certain categories of information, including:

  • Personal information handled by federal government organizations listed under the Privacy Act
  • Provincial or territorial governments and their agents
  • Business contact information such as an employee’s name, title, business address, telephone number or email addresses that is collected, used, or disclosed solely for the purpose of communicating with that person in relation to their employment or profession
  • An individual's collection, use, or disclosure of personal information strictly for personal purposes (e.g. personal greeting card list)
  • An organization's collection, use, or disclosure of personal information solely for journalistic, artistic or literary purposes”

What Types of Businesses Are Subject to PIPEDA?

PIPEDA applies to private sector organizations across Canada that collect, use, or disclose personal information in the course of a commercial activity. All federally regulated organizations that conduct business in Canada are always subject to PIPEDA, including:

  • Airports, aircraft and airlines
  • Banks and authorized foreign banks
  • Inter-provincial or international transportation companies
  • Telecommunications companies
  • Offshore drilling operations
  • Radio and television broadcasters.

PIPEDA applies to all companies operating in Canada regardless of where the company is based. For instance, a US website operator that collects personal information of Canadian residents would be subject to PIPEDA.

PIPEDA’s Key requirements

Businesses covered by PIPEDA must follow 10 fair information principles to protect personal information, which include:
  • Accountability: Each entity needs to appoint someone who is responsible for PIPEDA compliance (known as a “Privacy officer”).

  • Identifying Purposes: Each entity must identify the purposes for which they are collecting personal information, before or at the time of collection.

  • Consent: Obtain consent for the collection, use, or disclosure of personal information.

  • Limiting Collection: Each entity may only collect personal information that is necessary for the identified purposes.

  • Limiting Use, Disclosure, and Retention: Each entity may only use or share personal information for the purposes for which it was collected (unless the firm has consent or is legally obliged to use or share it for another purpose). Each entity must not store personal information for longer than necessary.

  • Accuracy: Personal information needs to be accurate, complete, and up-to-date.

  • Safeguards: Each entity needs to take appropriate security measures to protect personal information.

  • Openness: Each entity must provide a clear and detailed privacy policy to users.

  • Individual Access: Fulfill requests when individuals ask for their personal information or ask for corrections to their personal information.

  • Challenging Compliance: Individuals have the right to challenge a firm’s compliance with PIPEDA by filing a complaint.

Businesses must also appoint an employee to be responsible for their organization’s PIPEDA compliance, protect all personal information held by their organization, including any personal information they transfer to a third party for processing, and develop and implement information security policies and practices.

PIPEDA Enforcement and Penalties of Non-Compliance

The Office of the Privacy Commissioner of Canada (OPC) conducts independent investigations into the personal information handling practices of businesses subject to PIPEDA. Complaints can be initiated by individuals or the Privacy Commissioner.
Image

Get the latest from Hyperproof

Stay ahead of the risk and compliance curve. Get the latest regulation updates and analysis, guidance on achieving continuous compliance, and exclusive opportunities. Sign up for Hyperproof's bimonthly newsletter.
Stay in-the-know