PIPEDA Compliance Checklist
Determining what you need to do to comply with PIPEDA can be difficult. This is because PIPEDA imposes ten fair information principles, each with their own set of requirements. To be PIPEDA compliant, organizations must comply with each of the ten principles in their entirety. The PIPEDA compliance checklist below can be used to determine if you are meeting all of PIPEDA’s requirements, or if you are only partially meeting them.
What Are PIPEDA’s Ten Fair Information Principles?
- Accountability
- Identifying Purposes
- Consent
- Limiting Collection
- Limiting Use, Disclosure, and Retention
- Accuracy
- Safeguards
- Openness
- Individual Access
- Challenging Compliance
Your PIPEDA Compliance Checklist
To meet PIPEDA requirements, businesses must have documentation in place proving that they meet each of the ten fair information principles. Documentation must cover each of the ten principles in their entirety.
1. Accountability
The first section of the PIPEDA compliance checklist relates to Principle 1 – Accountability, requiring organizations to identify who is responsible for privacy governance and management.
Under the accountability principle, organizations must:
- Designate an employee who is responsible for PIPEDA compliance, privacy governance, and management
- Direct staff members to provide the name, address and phone number of the PIPEDA contact person to individuals, when requested
- Review privacy policies for completeness and ease of understanding
- Cover both customer and employee personal information in privacy policies
- Clearly indicate within your privacy policy that you are responsible for all personal information (PI) you hold, control, or transfer to a third-party for processing
- Have third-party custodian processing contracts that provide for a comparable level of privacy protection of PI that you give to your own PI
- Verify that third parties have implemented contractual privacy controls
- Communicate personal information handling policies, procedures and practices to staff
- Train staff on organizational privacy policies, procedures and best practices
- Have a process to identify when new and refresher staff training is needed
- Have documentation explaining PI policies and procedures to customers and the public
2. Identifying Purposes
Principle 2 relates to identifying the purpose for use and collection of personal information by your organization.
Under the identifying purposes principle, organizations must:
- Identify and document why you are collecting PI, at or before the time of collection
- Inform individuals of collection purposes at or before collection time, orally or in writing
- Notify individuals of new PI use purposes, if they weren’t identified when information was collected
- Obtain required client and customer consent before using information for new purposes
- Notify clients and customers of the purposes before using or disclosing PI, if notification at collection time wasn’t practical
- Determine the amounts and types of PI needed to fulfill your purpose(s)
- Determine why you are collecting PI, and that the amount and types of PI collected are reasonable in normal business circumstances
- Distinguish between primary (main) and secondary (other) collection purposes
- Inform staff on what to do when clients and customers opt out of secondary uses
3. Consent
Principle 3 relates to consent from customers to use, disclose, or collect PI.
Under the consent principle, organizations must:
- Obtain customer consent for any collection, use or disclosure of PI, or, if you did not obtain such consent, first determined that consent was not required
- Make reasonable efforts to ensure that individuals are notified of the purposes for PI use or disclosure
- Ensure that staff do not require clients and customers to consent to the collection, use or disclosure of PI beyond what is necessary to fulfill explicitly specified and limited purposes
- Assess the purposes and limit the collection, use and disclosure of PI when doing so is required to obtain a product or service
- Obtain consent through lawful and fair means
- Allows customers to withdraw consent at any time subject to legal or contractual restrictions and reasonable notice
- Inform clients and customers of the implication of the withdrawal of consent
- Consider the sensitivity, intended use of PI, and reasonable expectations of clients and customers, in determining which consent (implied or expressed) you’ll accept for PI collection, use and disclosure
4. Limiting Collection
Principle 4 relates to limiting the collection of PI.
Under the limiting collection principle, organizations must:
- Limit the amount and type of PI you collect to what is necessary for the identified purpose
- Collect information only by fair and lawful means
- Document the specific types of information you collect, along with the purposes for collection
- Document when you collect information about people from sources other than the people themselves
- Distinguish between mandatory and optional collection of PI
- Limit your collection of social insurance numbers (SINs) to legally established purposes
5. Limiting Use, Disclosure, and Retention
Principle 5 relates to limiting use and disclosure of PI, and how PI is retained.
Under the limiting use, disclosure, and retention principle, organizations must:
- Only use or disclose PI for purposes it was collected, except with consent or when legally required
- Document new purposes conceived after the PI is collected
- Only retain PI as long as necessary to fulfill identified purposes
- Retain PI used to make decisions about someone long enough for them to request access to it
- Have a policy for the destruction of PI
- Cover the role of contractors in the PI destruction policy
6. Accuracy
Principle 6 relates to the accuracy of PI.
Under the accuracy principle, organizations must:
- Use reasonable measures to ensure PI is accurate, complete and current before using it to make decisions
- Only update PI if doing so is necessary to fulfill the purposes for which the PI was collected
- Have a process through which individuals can challenge the accuracy of PI
- Specify when updates are appropriate based on the defined purposes and uses of PI, as well as the interests of the individual
- Record when and where key information was collected, including correction or update dates to PI
- Conduct periodic accuracy spot-checks, assessments or audits of PI holdings and databases
8. Safeguards
Principle 7 relates to the safeguarding PI.
Under the safeguards principle, organizations must:
- Adopt physical, technical and administrative safeguards to protect PI from loss, theft, unauthorized access, disclosure, copying, use or modification
- Choose security safeguards commensurate with the sensitivity of PI and how it’s transmitted
- Protect all personal information regardless of the format in which it is held
- Make employees aware of the importance of maintaining the confidentiality of PI
- Implement processes to prevent unauthorized access to PI during PI disposal or destruction
- Implement, and adhere to, required information security policies and practices
- Establish a PI security breach policy requiring investigating the root-cause of breaches
- Develop and implement appropriate safeguards for all uses of PI outside the office
8. Openness
Principle 8 relates to the openness of PI.
Under the openness principle, organizations must:
- Make policies and procedures about management of PI available to individuals
- Explain to customers why you collect, how you use, and when you will disclose their PI
- Make information available to clients and customers regarding who within the organization can address questions or complaints regarding the handling of PI
- Make the name/title and address of the person accountable for your privacy policies available on request
- Describe to your clients how they can obtain access to or correct their PI
- Give individuals a description of what PI you hold and what you disclose to other organizations
9. Individual Access
Principle 9 relates to individual access to PI.
Under the individual access principle, organizations must:
- Adopt policies and procedures for responding to requests for PI
- Advise staff to direct requests for access to PI to the staff member responsible for processing them
- Inform individuals of the existence, use and disclosure of their PI on receipt of a written request
- Provide individuals with access to personal information on receipt of a written request
- Limit refusal to provide access to PI to legally permitted or required exceptions
- Provide an account of the uses of PI upon request
- Provide an account of all third parties to whom PI has been disclosed (or a listing of the types of third parties to whom such PI is generally disclosed) upon request
- Assist individuals who indicate they need help to complete a request for information
- Respond to a request for information at minimal or no cost to the individual
- Respond to a request for information within 30 days unless you notify the requestor within that time of the need to extend the response time limit, of the extended time limit, and of their complaint rights
- Use time extensions only when permitted by law
- Provide access to requested information in a legible format that explains abbreviations or codes
- Let requestors know why you refuse access, and what recourse is available to them
- Let people challenge the accuracy of PI, and amend inaccurate or incomplete PI
- Forward corrected PI to third parties who would have received the original information
10. Challenging Compliance
The final section of the PIPEDA compliance checklist relates to Principle 10 – Challenging Compliance.
Under the challenging compliance principle, organizations must:
- Let people bring compliance concerns to the designated individual responsible for PIPEDA
- Have policies and procedures to receive and respond to complaints or questions about how you handle PI
- Advise complaining individuals of all relevant complaint processes
- Investigate all complaints made about your personal information policies and practices
- Modify your actions to prevent the issue from recurring if a complaint is substantiated