The Personal Information Protection and Electronic Documents Act (PIPEDA), regulates any private sector business that does business in Canada that can gather, use, and disclose personal data of Canadian citizens. Businesses that are subject to PIPEDA must meet certain requirements to comply with the law. Part of PIPEDA compliance requires businesses to train employees, but what are PIPEDA training requirements?
PIPEDA Training Requirements
PIPEDA dictates that an organization’s Privacy Officer is responsible for training all front-line and management staff to keep them informed.
The Privacy Officer must train staff on the organization’s policies and procedures regarding the confidentiality and security of personal information, and conduct regular PIPEDA training and education to ensure that employees maintain secure information handling procedures, and are aware of changes to the law.
To ensure that staff is adequately trained, organizations must have a process in place to identify when staff require a refresher course.
PIPEDA training must also instruct employees on the proper access, disclosure, copying, use, or modification of personal information. PIPEDA also grants consumers the right to know how their personal information is managed by a business. Under PIPEDA training requirements, staff must be trained on how to answer consumer questions on how their personal information is managed by the organization. Staff must be able to explain personal information collection purposes accurately, clearly, and consistently, and inform individuals of any new reasons for collection. Staff training must also instruct them on when to provide individuals the name, address and phone number of the organization’s PIPEDA contact person.
Effective PIPEDA Training
To meet PIPEDA compliance requirements and for training to be considered effective, it is recommended that staff members are trained annually. Training on at least an annual basis is the only way to ensure that all requirements are met.
Upon completion of training staff must be able to:
- Respond to inquiries about privacy policies and practices themselves or refer inquirers to the privacy officer or another authorized representative;
- Explain their organization’s purposes for collecting personal information;
- Understand policy and procedures on consent and obtain consent as appropriate;
- Explain to customers when and how they may withdraw consent and what consequences if any may come of such withdrawal;
- Recognize and process requests for access to personal information;
- Refer complaints about PIPEDA privacy matters to the privacy officer; and
- Keep up to date on their organization’s ongoing activities and new initiatives relating to the protection of personal information.