Who is Required to Protect Personal Information Under PIPEDA?
PIPEDA applies to private-sector organizations across Canada that collect, use, or disclose personal information for commercial activity. All private, for-profit businesses that operate in Canada and handle personal information are subject to PIPEDA, regardless of the province or territory in which they are based. This includes foreign businesses that collect, use, or disclose the personal health information of Canadian citizens.
Under PIPEDA, personal information may only be collected, used, or disclosed for purposes considered appropriate in the circumstances.
When is Personal Information Not Subject to PIPEDA?
PIPEDA does not apply to:
- Personal information handled by federal government organizations listed under the Privacy Act
- Provincial or territorial governments and their agents
- Business contact information including an employee’s name, title, business address, telephone number or email addresses, that is collected, used, or disclosed solely for the purpose of communicating with that person in relation to their employment or profession
- An individual’s collection, use, or disclosure of personal information strictly for personal purposes (i.e., a personal greeting card list)
- An organization’s collection, use, or disclosure of personal information solely for journalistic, artistic, or literary purposes
In general, PIPEDA also does not apply to non-profit organizations, charity groups, political parties, or associations. However, PIPEDA does apply when they are engaging in commercial activities that are not central to their mandate, and involve personal information.
How Does PIPEDA Regulate Businesses?
Businesses subject to PIPEDA must comply with ten fair information principles to ensure that personal information is adequately protected.
PIPEDA Fair Information Principles include:
- Identifying Purposes
- Limiting Collection
- Limiting Use, Disclosure, and Retention
- Individual Access
- Challenging Compliance
Requires businesses to develop policies and procedures to ensure the protection of personal information held by the business. Information “held” by the business includes information transferred to a third-party for collection, use, or disclosure. Under this principle, businesses must also designate an employee to be responsible for their PIPEDA compliance.
Under this principle, businesses must document their purposes for collecting personal information, and inform customers of these purposes before or at the time of collection.
Requires businesses to receive valid and meaningful consent for the collection, use, or disclosure of personal information.
Requires businesses to only collect personal information for legitimate purposes.
Limiting Use, Disclosure, and Retention
Businesses must only use or disclose personal information for the identified purposes given to the customer at the time of or before collection. Businesses can only use or disclose personal information outside of identified purposes when a customer consents to the collection, or as required by law. This principle also requires business to retain personal information for as long as it is needed to serve the identified purposes.
Businesses must ensure that the information used when making a decision about a customer, or disclosing information to a third party, is correct.
Businesses must protect personal information sufficiently, in relation to how sensitive it is. Personal information must be safeguarded against loss, theft, unauthorized access, disclosure, copying, use, or modification.
Requires business to have detailed personal information management practices that are easy to read and understand, and are easily accessible to customers.
Under this principle, individuals have the right to access their personal information held by a business. Individuals also have the right to request that inaccurate information is amended.
Individuals have the right to challenge a business’s collection, use, or disclosure of their personal information. These challenges must be made by the individual to the business’s PIPEDA compliance officer.