What Are PIPEDA Fair Information Principles?

The Personal Information Protection and Electronic Documents Act (PIPEDA) governs private-sector businesses that collect, use, or disclose the personal information of Canadian citizens. There are ten PIPEDA fair information principles that each have their own set of requirements that businesses must adhere to to be PIPEDA compliant.

  1. Accountability
  2. Identifying Purposes
  3. Consent
  4. Limiting Collection
  5. Limiting Use, Disclosure, and Retention
  6. Accuracy
  7. Safeguards
  8. Openness
  9. Individual Access
  10. Challenging Compliance

What Do PIPEDA Fair Information Principles Require?

To comply with PIPEDA, businesses must have a documented PIPEDA compliance program that proves that they have policies and procedures in place that meet each of the PIPEDA fair information principles.

PIPEDA Fair Information Principles

Accountability

The first PIPEDA fair information principle is Accountability. The Accountability principle requires businesses to have documented privacy policies that apply to both customer and employee personal information (PI). These policies must clearly indicate that the business is responsible for all personal information the business holds, controls, or transfers to a third-party for processing, and have the explanation available to the public. Businesses are also responsible for ensuring that personal information held by third-parties is held to comparable levels of privacy protection of PI that the business’ own PI is held to through custodian processing contracts. Business must also verify that third-parties have implemented those contractual privacy controls.

Under this principle, businesses must designate an employee to be responsible for privacy management and governance. The employee responsible for PIPEDA compliance must review their organization’s privacy policies for completeness and ease of understanding, and serve as the contact when individuals inquire about a business’ compliance. All staff must receive training on organizational policies, procedures, and best practices so that they are aware of how to properly handle personal information; and there must be a process for identifying when new or refresher training is needed.

Identifying Purposes

The second PIPEDA fair information principle is Identifying Purposes. This principle requires businesses to identify the purpose for their collection and use of personal information. 

To ensure that a business is collecting PI for reasonable business circumstances, businesses must identify why they are collecting PI and determine the types and amount of PI they require to fulfill their purposes. Businesses must also distinguish between primary and secondary collection purposes, and make staff aware of what to do should customers opt out of secondary uses.

Under this principle, businesses must identify and document why they are collecting PI, at or before the time of collection. Businesses must also inform individuals of collection purposes at or before collection time; and inform individuals of new PI use purposes that were not identified upon information collection, receiving consent from them before use.

Consent

The third PIPEDA fair information principle is Consent. This principle requires businesses to receive consent from individuals to use, disclose, or collect their PI, and notify them of the purposes for PI use or disclosure. Additionally, businesses must assess the purposes of collection, use, or disclosure of PI to limit to what is necessary; and ensure that staff do not ask clients to consent to PI collection, use, or disclosure beyond what is necessary. Under this principle, customers also have the right to withdraw their consent at any time, and businesses must inform customers of the implications of the withdrawal of consent.

Limiting Collection

The fourth PIPEDA fair information principle is Limiting Collection. This principle requires businesses to limit the amount and type of PI collected to only what is necessary for the identified purpose; and to limit collection of social insurance numbers (SINs) to legally established purposes. Information must be collected by lawful means, and businesses must distinguish between mandatory and optional PI collection.

Under this principle, businesses must document the specific types of information collected, the purposes for collection, and when information is collected about individuals from sources other than the individual themselves.

Limiting Use, Disclosure, and Retention

The fifth PIPEDA fair information principle is Limiting Use, Disclosure, and Retention. This principle requires business to only use or disclose PI for the purposes it was collected for, unless additional consent has been given or when legally required. When consent is given to use or disclose PI other than for the original purposes, new purposes must be documented after PI collection.

Under this principle, businesses must also adhere to data retention restrictions. PI must only be retained as long as it is required to fulfill identified purposes or for long enough for individuals to request access to it. Businesses must also have a PI destruction policy, including who is in charge of PI destruction.

Use this PIPEDA compliance checklist to assess your compliance!

Accuracy

The sixth PIPEDA fair information principle is Accuracy. This principle requires businesses to use reasonable measures to make sure PI is accurate, complete, and current before using it to make decisions. To ensure accuracy, businesses must conduct periodic accuracy spot-checks, assessments, or audits of PI holdings and databases.

Through this principle, PI must only be updated if doing so is necessary to fulfill the purposes for which the PI was collected; however, businesses must also have a process for individuals to challenge PI accuracy. Lastly, businesses must record when and where PI was collected, including correction or update dates to PI.

Safeguards

The seventh PIPEDA fair information principle is Safeguards. This principle requires businesses to adopt physical, technical, and administrative safeguards to protect PI from loss, theft, unauthorized access, disclosure, copying, use, or modification. Safeguards must be appropriately chosen based on the sensitivity of the PI, and how the PI is transmitted. Businesses must also implement processes to prevent unauthorized access to PI during PI disposal or destruction. Under this principle, businesses must also have policies and practices related to information security and security breaches.

Openness

The eighth PIPEDA fair information principle is Openness. This principle requires businesses to make policies and procedures about management of PI available to individuals. These must provide an explanation to customers as to why the business collects PI, how their PI is used, and when PI will be disclosed. Businesses policies and procedures must also describe how customers can obtain access to or correct their PI and provide individuals a description of what PI is held and what PI is disclosed to other organizations.

Under this principle, organizations must also make the name/title and address of the person accountable for the business’ privacy policies available, and provide contact information to clients and customers regarding who within the organization can address questions or complaints regarding the handling of PI.

Individual Access

The ninth PIPEDA fair information principle is Individual Access. This principle requires businesses to adopt policies and procedures for responding to requests for PI, and advise staff to direct requests for access to PI to the staff member responsible for processing them.

Under this principle, individuals must be provided with access to their PI, an account of uses of their PI, and an account of all third parties to whom PI has been disclosed  (upon written request). PI access may be refused for legally permitted or required exceptions, however businesses must let requestors know why access was refused, and what recourse is available to them. Lastly, business must respond to a request for information within 30 days (unless the requestor was notified of a legally permitted extension) at minimal or no cost to the individual.

Challenging Compliance

The tenth PIPEDA fair information principle is Challenging Compliance. This principle requires businesses to have policies and procedures to receive and respond to complaints or questions about how PI is handled by the business. Businesses must allow individuals to bring compliance concerns to the designated individual responsible for PIPEDA, and advise complaining individuals of all relevant complaint processes. Under this principle, businesses are required to investigate all complaints made about their personal information policies and practices, and modify their actions to prevent the issue from recurring if a complaint is substantiated.