Complying With PIPEDA
The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada's main federal law relating to privacy in the private sector. It covers personal information collected, used or disclosed while carrying out commercial activities.
When handling this personal information you must follow 10 fair information principles. The overall effect of these principles is that individuals:
- Give consent to the use of their personal information
- Can access it
- Can correct it
- Know it will be safeguarded
Individuals can formally complain about your business breaching PIPEDA.
Normally these complaints go to mediation but some cases may go to the Office of the Privacy Commissioner for recommendations, or even to the Federal Court for a court order. Some serious breaches of PIPEDA are automatically a criminal offense.
Let's get into some specifics about PIPEDA.
- Add information about your business: your website and/or app.
- Select the country:
- Answer the questions from our wizard relating to what type of information you collect from your users.
- 1. Does PIPEDA Affect You?
- 1.1. Personal Information
- 1.2. Commercial Activity
- 1.3. Exemptions
- 1.3.1. Who You Are
- 1.3.2. What Information You're Handling
- 1.3.3. Where You're Handling Information
- 1.3.4. Why You're Handling The Information
- 2. Requirements of PIPEDA
- 3. Principles of PIPEDA
- 3.1. 1. Accountability
- 3.2. 2. Identifying Purposes
- 3.3. 3. Consent
- 3.4. 4. Limiting Collection
- 3.5. 5. Limiting Use, Disclosure, and Retention
- 3.6. 6. Accuracy
- 3.7. 7. Safeguards
- 3.8. 8. Openness
- 3.9. 9. Individual Access
- 3.10. 10. Challenging Compliance
- 4. Breaches of PIPEDA
- 5. Conclusion
Does PIPEDA Affect You?
In simple terms, PIPEDA applies to any situation where:
- You are handling personal information,
- You are doing it in the course of a commercial activity, and
- The situation isn't covered by an exemption
Let's break these down in detail.
The legislative text of PIPEDA itself simply defines personal information as "information about an identifiable individual."
Meanwhile, the Office of the Privacy Commissioner clarifies that this information can be factual or subjective. It goes on to give a wide range of examples.
The most important thing to understand is that "personal information" is not restricted to what you might think of as somebody's personal life. For example, it could cover information relating to the person's activities and status as an employee or consumer.
"Handling" personal information covers collecting, disclosing or using the information. The data doesn't have to be recorded or stored.
PIPEDA's legislative text gives a more detailed definition of commercial activity, namely:
"Any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists."
A key point to remember here is that it's the activity for which you are using the information that must be "commercial," not the information itself.
It's easy to see that having a website to advertise your business clearly counts as a commercial activity.
PIPEDA does lay down several exemptions that mean the requirements don't apply even if you're handling personal information in the course of a commercial activity. The exemptions are very specific and can depend on who you are, what information you're handling, where you handle it, or why you do it.
Who You Are
- Federal government organizations listed under the Privacy Act are exempt from PIPEDA.
- Provincial and territorial governments are exempt from PIPEDA, as are their agents.
- Not-for-profit groups, charity groups, political parties and political associations are generally exempt from PIPEDA. However, PIPEDA does apply where such organizations are carrying out a commercial activity that isn't "central to their mandate."
- Hospitals, municipalities, schools and universities are usually exempt because of being covered by a provincial law instead.
What Information You're Handling
Business contact information is usually exempt from PIPEDA as long as you only use it for contacting the person in a professional capacity.
Where You're Handling Information
You may be exempt from PIPEDA if your province has its own privacy legislation. The Office of the Privacy Commissioner notes that this can apply generally in:
- British Columbia
It can also apply specifically to personal health information in:
- New Brunswick
- Nova Scotia
This exemption only applies to commercial activities that are solely within the relevant province. It doesn't apply to interprovincial or international transactions.
This exemption doesn't apply at all to federally regulated organizations, regardless of where the commercial activities happen.
Why You're Handling The Information
An individual is exempt from PIPEDA if they are collecting the personal information solely for personal purposes. The Office of The Privacy Commissioner gives the example of collecting addresses to send out personal greetings cards.
An organization is exempt from PIPEDA if they are collecting the personal information solely for "journalistic, artistic or literary purposes."
Requirements of PIPEDA
To comply with PIPEDA you must take several steps when handling the personal information.
The first step is to get the individual's consent before handling the information. This usually has to be explicit consent. You should only ever work on an "opt-out" basis if the information is already publicly available.
Here's how IntelliWHiTE uses checkboxes to get consent to send emails and product offers when collecting email addresses and names:
The consent must be obtained to handle the information for a specific stated purpose. If you later decide to use the information for a different purpose you must get fresh consent.
In the example above, if IntelliWHiTE decided it wanted to use email addresses for anything other than "general emails and product offers" it would have to get fresh consent for that different purpose.
The second step is to let the individual see what personal information you hold about them if they ask. You must also correct the information if they show it is inaccurate.
Here's how Perth & Smiths Falls District Hospital explains how patients can request a correction to their information, as well as explaining the way in which the hospital deals with such requests:
The third step is to adequately safeguard the information against being used for any purpose without consent, or falling into somebody else's hands. You should make sure individuals are aware of these safeguards.
Principles of PIPEDA
While complying with PIPEDA can be a broad and complicated operation, it lays down 10 principles to follow. These are not simply guidelines or helpful tips: they are specifically detailed in the legislation itself and must be complied with.
They share a common theme that to properly comply with PIPEDA you need to act when or even before you first collect the information.
The principles, and some of the practical steps you can take to comply, are as follows.
Conduct a privacy law self-audit so you know exactly what privacy practices your business engages in and what information you need to disclose to your users.
2. Identifying Purposes
You should always decide and record the purpose for which you are collecting a particular piece of information. This helps make sure you:
- Can tell individuals why you collected the information
- Take necessary steps to avoid using it for another reason
- Know when you are using it for another reason and thus need to get fresh consent
You must always get clear and informed consent from the individual before collecting information. You need to make sure the individual understands what giving consent means and that they don't feel pressured or tricked into giving it. You should document any situations where you decide you don't need to gain consent.
This form from Swim Ontario is a good example of including enough detail to be sure the individual has given informed consent:
4. Limiting Collection
You should only ever collect information that's strictly necessary for the purposes for which the individual consented.
Review your data collection procedures to distinguish between information that you have to collect (for example, so you can provide a service) and information that you aren't required to collect (for example, to make your operations easier.)
5. Limiting Use, Disclosure, and Retention
You should develop policies and procedures to make sure you only use personal information for the purposes for which the individual consented.
You also need to have a policy for how long you hold on to information. Generally, this should be no longer than necessary to carry out the stated purpose.
However, if you use the information to make a decision about the individual, you must hold on to the information for long enough that the individual has a chance to review it.
You must keep personal information as "accurate, complete, and up-to-date" as is needed for the stated purpose. Exactly how you do this will depend on how you use the information.
One important point is to keep information up-to-date enough to minimize the risk of using outdated information to make a decision regarding the individual.
You must protect the information against unauthorized access, theft, copying or alteration, including when you are destroying records.
The level of security in these safeguards should be appropriate for the level of sensitivity of the information. Your safeguards can include physical access restrictions such as passwords, organizational measures such as only giving certain staff permission to access the information, and technological measures such as encryption.
Include the name and contact information for the person you designated as responsible for complying with PIPEDA.
One approach, as used here by Gerber Life, is to base the policy notice you publish around the PIPEDA principles:
9. Individual Access
If an individual makes a written request regarding their personal information, you must respond with details of whether you hold personal information about them, what that information is, how you've used it, and what third parties you've shared it with.
You must also let them say if the information is inaccurate or incomplete, and you must correct or update it if appropriate.
Usually you must give a full response within 30 days of the initial request.
10. Challenging Compliance
You must have procedures in place to receive, consider and respond to a complaint that you aren't complying with these principles.
You'll need to investigate the complaint and take necessary action if you find it's justified. This may include changing your policies or procedures.
You must tell the individual what, if any, action you've taken, as well as what measures they can take if they aren't satisfied with your response.
Breaches of PIPEDA
The range of possible outcomes after an alleged breach of PIPEDA is complicated. The general idea is to try to resolve it amicably early on but with the possibility of firmer consequences if needed.
This flowchart from the Office of The Privacy Commissioner summarizes the process.
The "Addresses, closed at intake" outcome is where you and the complainant resolve the issue yourselves without any outside help.
Contrastingly, the "Early resolution" outcome is where you reach a resolution after mediation with the help of a dedicated officer from the Office of The Privacy Commissioner.
The "Investigation" stage can end with the Office of the Privacy Commissioner issuing a report of findings and recommendations. These recommendations are not legally binding orders in themselves.
However, if you don't follow the recommendations the case could go to a federal court, which can legally order that you do any or all of the following:
- Change your practices to comply with PIPEDA
- Publish a notice to say you've made these changes
- Pay damages to the person who brought the complaint
PIPEDA lists three specific criminal offences, namely:
- Intentionally destroying information after somebody makes a valid request to access it
- Retaliating against an employee who has complained about a breach or refused to breach PIPEDA themselves
- Obstructing officials investigating a complaint
Doing any of these could lead to criminal prosecution.
There's a lot of detail to consider with PIPEDA because handling personal information is such a broad area for any business. So let's recap the seven main things you need to know and do to avoid breaching the law.
Understand whether and when PIPEDA affects you. If you are handling personal information in the course of commercial activities in Canada, PIPEDA normally applies.
The main exceptions are for activity within a province that has its own laws on personal information, and for non-business groups carrying out their main purpose (such as charity work or political campaigning.)
- Understand the key requirements: you must get specific, informed consent from the individual to use information for a specific purpose, you must let them see and if necessary correct the information, and you must safeguard the information.
- Designate a senior person from your organization to take responsibility for PIPEDA compliance.
- Keep records of the purpose for which you gather information, the consent you've gathered, the ways in which you use or share the information, and when you should dispose of it.
- Make sure individuals know how you handle information, how they can access and correct it, and how they can complain if they think you've breached PIPEDA. Make sure you have systems in place to deal with any of these requests or complaints.
- Never destroy information after a valid access request, retaliate against an employee's legitimate behavior in relation to PIPEDA, or obstruct any investigation into alleged breaches. These are all criminal offenses.