The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian data privacy law that governs how private sector organizations collect, use, and disclose personal information when conducting commercial activities. By setting strict requirements for private businesses, PIPEDA ensures that individuals and customers have control over how their data is managed.
This blog explores the main data privacy and data protection principles that PIPEDA adheres to, how businesses can comply with the regulation, and specific obligations for private sector businesses.
Learn how UpGuard helps businesses meet their regulatory compliance needs >
What is PIPEDA?
PIPEDA was first introduced in 2000 to promote consumer trust in e-commerce activities and became law in 2000. It was also enacted to ensure that the personal data of European citizens would be protected, in accordance with the European Union’s Data Protection Directive (DPD). The DPD would later be replaced by the General Data Protection Regulation (GDPR), the current main data privacy regulation governing European businesses.
Today, PIPEDA is Canada’s main privacy legislation regulating how businesses manage their data-handling policies and outlining individual rights when it comes to accessing data and providing consent. PIPEDA is required to be reviewed by the Canadian Parliament every five years to ensure it is updated with the latest data protection principles and to propose amendments as needed.
PIPEDA’s 10 Fair Information Principles + Compliance Guide
PIPEDA is based on the 10 Fair Information Principles, listed in Schedule 1 of the Act. These data privacy principles of PIPEDA provide a framework for how organizations should handle and collect personal information and define specific actions and responsibilities that they can take to meet PIPEDA requirements.
Principle 1 - Accountability
Organizations are responsible for the personal information under their control and must appoint a Privacy Officer to ensure compliance with PIPEDA.
Action: Designate a specialized or competent individual as the Privacy Officer.
This individual should be trained and knowledgeable about PIPEDA’s regulatory requirements and privacy best practices. The Privacy Officer should have the authority to make decisions related to privacy policies and procedures, be in charge of implementing established procedures for protecting personal information, and develop internal processes for handling customer information.
Principle 2 - Identifying Purposes
The purposes for which the personal information is being collected must be identified by the organization before or at the time of collection.
Action: Organizations must clearly identify and document the purposes for which they are collecting personal information before or during the collection process. All purposes must be documented and all relevant customers and clients must be notified ahead of time.
Under this principle, organizations must identify, document, and specify their purposes clearly and ensure that those purposes are communicated effectively to individuals. Identifying purposes is required when obtaining consent from the individual, as part of overall efforts to ensure individuals have complete knowledge of how their data is being handled.
Principle 3 - Consent
The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
Action: Organizations must obtain “meaningful consent” from individuals when collecting, using, or disclosing personal information. Exceptions are when information is being collected where disclosure is inappropriate, such as for legal, medical, or security reasons, which are specified in Section 7 of PIPEDA.
Meaningful consent requires the organization to properly communicate its privacy policies to the individual, identify what information is being collected, which parties will have access to that information, and for what purposes the information will be disclosed. Organizations must make reasonable efforts to inform individuals on how their data will be handled and allow them to make a clear decision to accept or reject the terms of their data collection.
Consent cannot be required as a condition for providing the service and cannot be coerced or obtained through deception. The individual can also revoke or withdraw consent at any time, subject to legal or contractual obligations.
Principle 4 - Limiting Collection
The collection of personal information must be limited to that which is needed for the purposes identified by the organization. Information must be collected by fair and lawful means.
Action: Organizations must review their information collection policies to ensure that the collection of personal information is limited to the purposes identified in Principle 2.
Information collection processes must be carried out through fair and lawful means, without deception, and distinguish between option and obligatory information. In some cases, certain sensitive data collection is necessary to perform a service. All processes for data collection must be documented at the time it was collected.
Each information type that is collected must be assigned a specific purpose and all relevant personnel involved in the data collection must be trained and informed on collection limitations.
Principle 5 - Limiting Use, Disclosure, and Retention
Unless the individual consents otherwise or it is required by law, personal information can only be used or disclosed for the purposes for which it was collected. Personal information must only be kept as long as required to serve those purposes.
Action: Organizations must review their data usage, disclosure, and retention processes to ensure they are limited to the purposes defined in Principle 2.
All use and disclosure of collected information must be properly documented and specified for which purpose it was intended. If the purpose for which the information was meant to be used has changed for a new purpose, the new purpose must be documented, individuals must be contacted and informed of the new purpose, and consent must be obtained again.
In addition, information that is no longer needed for its intended purpose must be destroyed in a safe and secure manner. Guidelines must be implemented for minimum and maximum data retention periods, data destruction best practices, and individual access to the data after the retention period.
Principle 6 - Accuracy
Personal information must be as accurate, complete, and up-to-date as possible in order to properly satisfy the purposes for which it is to be used.
Action: Organizations must ensure that collected personal information is accurate and up-to-date through regular accuracy verification policies.
Additionally, organizations must identify which types of information need to be regularly updated and verified for completeness and accuracy. To identify these information types, organizations must determine where instances of outdated information could negatively influence or otherwise cause significant harm to the individual or customer.
In some cases, organizations can put the responsibility on the customer to update their personal information, such as an email or physical address for communications or delivery.
Principle 7 - Safeguards
Personal information must be protected by appropriate security relative to the sensitivity of the information.
Action: Organizations must review information security policies and implement appropriate security safeguards and security measures to prevent data breaches.
All policies regarding the handling, collection, use, and retention of data must be reviewed to determine whether or not existing processes are sufficient. If there are any security gaps, the organization must develop or update policies to address the issues to ensure adequate safeguards.
Safeguards that need to be considered are:
- Organizational
- Technological
- Employee awareness
- Physical
- Secure disposal
- Remote work, telework, or work outside the office
- Data transmissions
Principle 8 - Openness
An organization must make detailed information about its policies and practices relating to the management of personal information publicly and readily available.
Action: Create a detailed privacy policy and make it readily available to the public.
Privacy policies can be made available through websites, brochures, or customer service representatives. Ensure that the information is clear, concise, and easy to understand.
As an additional step, organizations should include the contact information of the designated Privacy Officer, outline critical information on how data is collected, used, and distributed, instructions for reporting or registering complaints, and other relevant standards that may affect personal information.
Organizations should be prepared to present their policies to demonstrate compliance with PIPEDA and allowing for individuals to maintain their privacy protection rights. Should individuals choose to withdraw their consent, clear instructions should be made available on how they can do so.
Principle 9 - Individual Access
Upon request, an individual must be informed of the existence, use, and disclosure of their personal information and be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
Action: Ensure there are existing policies for handling data access requests at no additional cost to the customer.
The information provided to the individual must be accurate and understandable to the individual (i.e. any abbreviations, codes, or terminology that must be clarified). Information on how the data was used and collected, and all third-parties that had access to the information, must also be included in response to the access request.
The requirements of PIPEDA outlined in section 4.9 require organizations to provide the information requested or a notification that the information cannot be provided to the individual within 30 days. If the organization requires longer than 30 days to provide the information, a notice must be made to the individual and OPC within the first 30 days.
If a request is refused, the organization must submit a reason for refusal to the OPC, along with the requester.
Principle 10 - Challenging Compliance
An individual shall be able to challenge an organization’s compliance with the above principles. Their challenge should be addressed to the person accountable for the organization’s compliance with PIPEDA, usually their Chief Privacy Officer.
Action: Establish procedures to handle complaints or inquiries from individuals challenging organizational compliance with PIPEDA.
Organizations must establish simple policies to record the date and nature of the complaint, acknowledgment of the complaint, and communication procedures while investigations are carried out. Furthermore, investigation results must also be provided to the challenging individual and any additional steps that are required following the complaint in accordance with the "Openness” principle.
The designated Privacy Officer should be in charge of handling such complaints and ensuring that any issues are addressed properly and that relevant staff are trained to deal with any complaints.
Who does PIPEDA apply to?
PIPEDA applies to all private sector organizations that collect, use, or disclose personal information in the course of commercial activities across Canada. This includes businesses of all sizes, from large corporations to small enterprises, as well as not-for-profit organizations that engage in commercial activities.
PIPEDA also extends to federally regulated industries that participate in commercial activities. These businesses do not fall under Canada’s Privacy Act, which regulates the handling of personal information by the federal government. These industries include:
- Airports, aircraft, and airlines
- Banks and authorized foreign banks
- Inter-provincial or international transportation companies
- Telecommunications companies
- Offshore drilling operations
- Radio and television broadcasters
Note: Organizations in the Northwest Territories, Yukon, and Nunavut are federally regulated and, therefore, also covered by PIPEDA.
Businesses that are outside of Canada but conduct commercial activities in Canada and handle the personal information of Canadian citizens are also subject to PIPEDA requirements.
What is not covered under PIPEDA?
PIPEDA does not apply to:
- Personal information collected or handled by federal government organizations under the Privacy Act
- Exemptions are made for provincial or territorial governments and their agencies from Alberta, British Columbia, and Quebec. These provinces have private-sector privacy laws that have been deemed substantially similar to PIPEDA.
- Personal information collected, used, or disclosed by an individual for personal or domestic purposes
- Personal information collected, used, or disclosed by an organization for journalistic, artistic, or literary purposes
Is PIPEDA compliance mandatory?
Yes, PIPEDA compliance is mandatory for all private-sector and federally-regulated organizations that engage in commercial activities in Canada. Compliance ensures that personal information is protected and that individuals understand how their information is being handled.
Penalties for non-compliance
Organizations that fail to comply with PIPEDA may face significant consequences, including:
- Investigations and audits: The Office of the Privacy Commissioner of Canada (OPC) can investigate complaints and conduct audits to ensure compliance. OPC can then determine if any disciplinary action is required following a PIPEDA violation.
- Fines and penalties: Organizations found to be in violation of PIPEDA can be subject to fines and penalties. For instance, knowingly breaching PIPEDA's consent requirements can result in fines of up to CAD$100,000.
- Legal action: Affected individuals can take legal action against organizations for damages resulting from violations of PIPEDA.
