The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian federal legislation governing the collection, use and disclosure of personal information by private sector organizations. It also regulates the use of electronic documents while supporting e-commerce.
About the PIPEDA
The PIPEDA was enacted on April 13, 2000 in order to promote and support consumers in e-commerce. The PIPEDA was based on the Canadian Standards Association’s Model Code for the Protection of Personal Information. It also intended to reinforce the privacy protection mechanisms and practices which reflected European Union privacy directives. The PIPEDA was implemented in a number of phases over a three-year period beginning in January 2001. It has been fully in force since 2004.
The PIPEDA applies to every organization with respect to the collection, use and disclosure of personal information in commercial activities. It also applies to federal works, with respect to personal information of employees. It requires organizations to comply with ten key principles:
- Identifying purposes
- Limiting collection
- Limiting use, disclosure and retention
- Individual access
- Challenging compliance
However, certain provincial legislation in Alberta, British Columbia, Quebec and Ontario has been deemed substantially similar to the PIPEDA. As a result, privacy issues in the private sector of these provinces fall under the jurisdiction of provincial legislation. In these provinces, the privacy protection of personal information is subject to provincial legislation, unless:
a) the organization is a federal department, work or business
b) the information is disclosed outside of the originating province throughout the course of the commercial activity
Even in Alberta, British Columbia, Quebec and Ontario, the PIPEDA still applies to organizations under federal jurisdiction including companies in:
The PIPEDA defines personal information as:
- Factual or subjective information, recorded or unrecorded, about an identifiable individual
- Name, race, ethnicity, religion, marital status, education level
- E-mail addresses, e-mail messages, IP addresses
- Medical records: age, height, weight, blood type, DNA code, fingerprints, voiceprint
- Financial information: income, purchases, spending habits, credit/debit card data, banking information, tax returns, credit reports
- Social Insurance Number (SIN), or other identification numbers
Organizations’ Responsibilities under PIPEDA
Under the PIPEDA, organizations are obliged to follow a code regarding the protection of personal information. These provisions include, but are not limited to:
- Complying with all ten principles of the PIPEDA.
- Appointing an individual to be responsible for compliance with privacy.
- Protecting information transferred to a third-party.
- Developing and implementing privacy policies and practices in line with the PIPEDA.
2. Identifying purposes
- Identify and document the purpose and usage of personal information.
- Inform the individual about the purpose and usage of the personal information.
- New purposes for the information should be identified and consented to.
- Ensure the individual is informed of the purposes, use or disclosure of the personal information in a meaningful way.
4. Limiting collection
- Personal information should not be indiscriminately collected.
- Individuals should not be deceived or misled regarding the purposes for collecting their personal information.
5. Limiting use, disclosure and retention
- Personal information should be held only as long as necessary to meet the stated purposes.
- Appropriate guidelines and procedures should be designed and implemented for retaining and destroying personal information.
- Personal information used to make decisions about individuals should be held for a reasonable time, in order to allow the person to access or change the information.
- Minimize incorrect information by keeping personal information databases accurate, complete and up to date.
- Protect personal information databases against loss of theft.
- Prevent unauthorized access, disclosure, copying, use or modification of personal information, regardless of the format in which it is held.
- Inform stakeholders of privacy policies and practices.
- Ensure policies and practices are available and accessible.
9. Individual access
- Individuals should be informed if personal information about them is held, for what purposes and the scope of disclosure.
- If requested, individuals should have access to information and be able to correct or complete personal information records.
10. Challenging compliance
- Complaint procedures should be simple and accessible.
- All complaints should be investigated.
- Appropriate measures should be taken to correct privacy policies and practices.
Individuals’ Rights under PIPEDA
Although many private sector organizations must legitimately collect personal information, they are also obliged to manage such information in a way that safeguards clients’ and employees’ privacy. The PIPEDA was designed and enacted in order to enable individuals to find and maintain a certain level of control over their personal information in the private sector.
The following rights of the individual are protected under PIPEDA:
- Individuals have the right to know and understand the reasons why a private sector organization collects, uses or discloses their personal information. The purposes for information collection should be reasonable.
- Individuals can also expect such an organization to collect, use or disclose their personal information in a reasonable and appropriate manner.
- Organizations are only authorized to collect personal information with the consent of the individual in question.
- Individuals can expect organizations to protect personal information with the appropriate security safeguards and to destroy the information when it is no longer necessary for the original, stated purposes.
- Individuals have the right to access their personal information and to change it if it is no longer accurate, complete or up to date.
Filing Complaints under PIPEDA
The PIPEDA gives individuals the right to file a complaint in situations where the organization may be violating any aspect of the PIPEDA. This may mean that an individual is denied access to his/her personal information, or if the organization chooses not to correct outdated or incomplete personal information, or if the individual believes that his/her personal information has been improperly collected, used or disclosed.
The following outlines the necessary steps an individual should take to file a complaint under the PIPEDA:
- The individual should attempt to settle the disagreement directly with the organization in question. Under the PIPEDA, organizations are required to have a member of staff responsible for privacy protection and privacy-related complaints.
- The individual should file a complaint with the organization’s industry association (e.g. the Canadian Marketing Association, the Canadian Institute of Chartered Accountants, etc.). Usually, these associations have an ombudsperson or complaints office.
- The federal Privacy Commissioner is an independent ombudsman who resolves privacy disputes through the processes of negotiation, mediation and conciliation. Filing a complaint with the Privacy Commissioner will begin the process of investigation and resolution.
- The Commissioner has the authority to request personal information or adjust personal information held by the organization. The Commissioner can also recommend that the organization correct its privacy practices and policies.
- Finally, if the individual’s concerns have not been satisfactorily resolved, he/she may choose to take the complaint to the Federal Court of Canada. Alternatively, the Privacy Commissioner may take the complaint to court on behalf of the individual. The Court may award compensation for damages to the individual.
Recent Developments of PIPEDA
In 2008, the Privacy Commissioner published a number of findings regarding the PIPEDA. These were based on research and court decisions and reflect the manner in which the PIPEDA has been applied since its enactment. Most of these findings involved the following themes:
Scope of Application
- Since its enactment in 2001, the definition of “personal information” has evolved and now includes photographs, business e-mail addresses; employee identification numbers.
- The definition of “commercial activity” was also expanded and is now determined by the institution’s core activity and whether or not one of its objectives is to earn a profit for the owners.
PIPEDA Beyond Canada
- Such concerns were raised as a result of increasing cross-border activities, including outsourcing arrangements and the disclosure of banking information to international institutions.
- This is one of the more contentious issues under the PIPEDA.
- Organizations often use surveillance to prevent or deter crime or employee misconduct. This is problematic given the provisions for consent, as well as demonstrating their purpose for collection of personal information.
- The PIPEDA does not address specific types of technologies.
- A number of concerns have arisen around developing technologies, such as biometrics and GPS.
Data Breaches & Security Measures
- A number of high-profile data breaches have recently come into the focus of the public eye.
- While the PIPEDA requires organizations to implement safeguards appropriate to the sensitivity of the personal information, it does not specify the nature and level of security required.
Careless Disclosures & Ongoing Employee Training
- Employee training should focus on comprehensive security policies and procedures.
- Employees should be made aware of the techniques used by sophisticated fraudsters or hackers, in order to prevent unauthorized disclosures of personal information.
Collecting Too Much Information
- The PIPEDA limits the collection of personal information to that which is necessary to fulfill organizational purposes.
- The issue of defining “reasonableness” has become a greater challenge since the PIPEDA has been enacted.
- Access to personal information should be granted within a reasonable time period (no later than 30 days) and should be a minimal or no cost to the individual.
Secondary Marketing Purposes
- While secondary marketing can be a profitable endeavor for an organization, it may not be acceptable from their customers’ point of view.
- Opt-in/opt-out consent and reasonable expectations of the individual must be considered under the PIPEDA.
Such findings and recommendations from the OPC can offer organizations a richer understanding of the application and court decisions made under the PIPEDA.
This article explores the Personal Information Protection and Electronic Documents Act (PIPEDA), in terms of private sector responsibilities and individuals’ privacy rights. Subsequent recommendations and findings are also discussed.
In preparation for the Certified Information Privacy Professional/Canada exam, a privacy professional should be comfortable with topics related to this post, including:
- Canadian Private Sector Laws & Practices (III.A.a.)