Glossary

PIPEDA: Understanding Canada’s Data Privacy Law

What is PIPEDA (The Personal Information Protection and Electronic Documents Act)?

The Personal Information Protection and Electronic Documents Act is Canada’s national private sector data privacy law, enforced by the Officer of the Privacy Commissioner or OPC. The Personal Information Protection and Electronic Documents Act Canada seeks to protect internet users’ privacy rights by requiring that organizations inform users of their data handling practices and get consent from users to collect, use, and disclose personal information. Businesses in violation of PIPEDA can receive fines of up to $80,000 if the government decides to prosecute.

PIPEDA mirrors Europe’s GDPR (General Data Protection Regulation) in many ways. As a result, it provides the equivalent of data protection to the EU (European Union). This allows for the efficient dissemination of data from Canada to the EU. 

What is Personal Information?

Under the private information act Canada, personal information refers to any subjective or factual information about an identifiable individual. Personal information under the PIPEDA model code can include examples like:

  • Personal health information
  • Cookie data
  • Employment details such as employee files
  • Credit records
  • Loan records
  • Subjective information such as opinions, evaluations, and disciplinary actions
  • Direct identifiers such as age, name, and ID numbers

How Does PIPEDA Protect an Individual’s Rights?

Before taking a closer look at how PIPEDA affects businesses, let’s examine how it applies to individuals. Under PIPEDA, individuals have the right to see the information the government has about them as well as request corrections. 

Individuals can also:

  • Ask about the collection or usage of personal information by an organization
  • Sek advisement on who within the organization is responsible for the protection of personal information 
  • Expect organizations to use, collect, or disclose personal data in an appropriate manner
  • Expect organizations to follow consent regarding personal data and to adhere to proper protection procedures and techniques
  • Report the management of personal data within an organization if privacy rights are violated

Does PIPEDA Apply to My Business?

Follow these guidelines regarding who PIPEDA applies to and who is exempt:

Who It Applies To

PIPEDA applies to any private sector organization in Canada that collects, uses, or shares personal information when conducting commercial activities. Federally regulated organizations in Canada, including banks, airlines and airports, telecommunications companies, and interprovincial and international transportation companies must follow the compliance guidelines outlined in PIPEDA. 

Who is Exempt

On the other hand, PIPEDA does not apply to charity groups, political parties, and non-profit organizations unless they engage in commercial activities that are not part of their core operations. Organizations in Quebec, British Columbia, and Alberta are also exempt from PIPEDA since they are subject to provincial private sector privacy laws similar to PIPEDA. That being said, Canadian organizations that transfer data across provincial and national borders are subject to PIPEDA, regardless of where they operate from and their province’s privacy laws.

PIPEDA Compliance: 10 Principles

In order to comply with PIPEDA, your organization or business needs to follow the 10 fair information principles, which outline the standards for the collection, use, and disclosure of personal information and user’s rights. The 10 principles include:

  • Accountability. Organizations are responsible for the personal information they store and need to appoint someone to ensure the organization is compliant with the 10 principles.
  • Identifying purposes. Organizations need to state the purposes for data collection before or at the time of data collection.
  • Consent. Organizations need to obtain implicit or explicit meaningful consent in order to collect, share, and use personal information from users. Organizations can choose to implement either opt-in or opt-out measures in order to obtain consent, depending on the sensitivity of the personal information they have collected.
  • Limiting collection. Organizations need to only collect the necessary amount of information for processing purposes.
  • Limiting use, disclosure, and retention. Organizations need to use personal information only for their stated purposes unless the users give additional consent.
  • Accuracy. Organizations need to keep personal information accurate, complete, and up to date.
  • Safeguards. Organizations need to implement safety measures to protect the personal data.
  • Openness. Organizations need to be transparent to the public about their data handling. They can apply the openness principle by including a privacy policy on their website.
  • Individual access. Organizations need to honor their users’ rights in accessing, reviewing, and correcting personal information.
  • Challenging compliance. Individuals have the right to challenge an organization’s compliance with these 10 principles. Individuals should address their inquiries to the person responsible for the organization’s compliance with PIPEDA or the chief privacy officer.

Data Breaches Under PIPEDA

According to PIPEDA (Personal Information Protection and Electronic Document Act), a data breach refers to the loss of, unauthorized access to, or unauthorized disclosure of personal information. When there is a data breach that poses a real risk or threat of significant harm to individuals, organizations need to report the data breach to the Office of the Privacy Commissioner or OPC of Canada by submitting a PIPEDA breach report form.

But what are examples of significant harm? Examples of significant harm under a data breach include reputational damage, financial loss, employment loss, and physical injury. Organizations must also notify affected individuals about the data breach as soon as possible and keep records of all data breaches for two years. Not following these data breach notification procedures counts as a violation of PIPEDA.