The Personal Information Protection and Electronic Documents Act (PIPEDA) regulates the data privacy of Canadian citizens, known as “personal information.” But, what is personal information under PIPEDA?
Personal Information Under PIPEDA
The PIPEDA act classifies “personal information” as any factual or subjective information, about or relating to an identifiable individual. Subjective information may include opinions or beliefs , even if the information is not accurate. Information is about an “identifiable individual” when it directly relates to an individual, or if there is a serious possibility that an individual could be identified through the use of that information.
Under PIPEDA, personal information includes:
- Age, name, ID numbers, income, ethnic origin, or blood type
- Opinions, evaluations, comments, social status, or disciplinary actions
- Employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, an intent to acquire goods or services, or change jobs)
Personal information includes information in any form such as:
- Written information
- Information contained in conversations
- Biological samples
- Video or audio surveillance
Who is Required to Protect Personal Information Under PIPEDA?
PIPEDA applies to private-sector organizations across Canada that collect, use, or disclose personal information for commercial activity. All private, for-profit businesses that operate in Canada and handle personal information are subject to PIPEDA, regardless of the province or territory in which they are based. This includes foreign businesses that collect, use, or disclose the personal health information of Canadian citizens.
Under PIPEDA, personal information may only be collected, used, or disclosed for purposes considered appropriate in the circumstances.
When is Personal Information Not Subject to PIPEDA?
PIPEDA does not apply to:
- Personal information handled by federal government organizations listed under the Privacy Act
- Provincial or territorial governments and their agents
- Business contact information including an employee’s name, title, business address, telephone number or email addresses, that is collected, used, or disclosed solely for the purpose of communicating with that person in relation to their employment or profession
- An individual’s collection, use, or disclosure of personal information strictly for personal purposes (i.e., a personal greeting card list)
- An organization’s collection, use, or disclosure of personal information solely for journalistic, artistic, or literary purposes
In general, PIPEDA also does not apply to non-profit organizations, charity groups, political parties, or associations. However, PIPEDA does apply when they are engaging in commercial activities that are not central to their mandate, and involve personal information.
How Does PIPEDA Regulate Businesses?
Businesses subject to PIPEDA must comply with ten fair information principles to ensure that personal information is adequately protected.
PIPEDA Fair Information Principles include:
- Accountability
- Identifying Purposes
- Consent
- Limiting Collection
- Limiting Use, Disclosure, and Retention
- Accuracy
- Safeguards
- Openness
- Individual Access
- Challenging Compliance
Accountability
Requires businesses to develop policies and procedures to ensure the protection of personal information held by the business. Information “held” by the business includes information transferred to a third-party for collection, use, or disclosure. Under this principle, businesses must also designate an employee to be responsible for their PIPEDA compliance.
Identifying Purposes
Under this principle, businesses must document their purposes for collecting personal information, and inform customers of these purposes before or at the time of collection.
Consent
Requires businesses to receive valid and meaningful consent for the collection, use, or disclosure of personal information.
Limiting Collection
Requires businesses to only collect personal information for legitimate purposes.
Limiting Use, Disclosure, and Retention
Businesses must only use or disclose personal information for the identified purposes given to the customer at the time of or before collection. Businesses can only use or disclose personal information outside of identified purposes when a customer consents to the collection, or as required by law. This principle also requires business to retain personal information for as long as it is needed to serve the identified purposes.
Accuracy
Businesses must ensure that the information used when making a decision about a customer, or disclosing information to a third party, is correct.
Safeguards
Businesses must protect personal information sufficiently, in relation to how sensitive it is. Personal information must be safeguarded against loss, theft, unauthorized access, disclosure, copying, use, or modification.
Openness
Requires business to have detailed personal information management practices that are easy to read and understand, and are easily accessible to customers.
Individual Access
Under this principle, individuals have the right to access their personal information held by a business. Individuals also have the right to request that inaccurate information is amended.
Challenging Compliance
Individuals have the right to challenge a business’s collection, use, or disclosure of their personal information. These challenges must be made by the individual to the business’s PIPEDA compliance officer.