What is PIPEDA Canada Privacy?

The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada’s federal private-sector privacy law. PIPEDA sets out the ground rules for how businesses must treat personal information in the course of conducting commercial activities. A central component of PIPEDA Canada privacy protection is the requirement that organizations subject to PIPEDA give individuals access to the personal information that organizations hold about them. The right of access component of PIPEDA Canada privacy is discussed below.

What is PIPEDA Canada Privacy? Right of Access Responsibilities

PIPEDA regulates organizations that use individuals’ personal data for money-making purposes. Under PIPEDA, organizations include all kinds of private businesses (in contrast to HIPAA, which only regulates covered entities and business associates). In general, organizations may only use personal information for the purposes for which it was collected.  Use of the information requires consent. If an organization is going to use personal information for another purpose, the organization must obtain consent again

Want to learn more about Canadian data privacy compliance? Click here

PIPEDA Canada Privacy

PIPEDA Canada privacy regulations, similar to the HIPAA Privacy Rule, require that organizations be transparent about what they do with personal information. Under PIPEDA, organizations holding personal information about individuals must allow those individuals access to it. The PIPEDA right of access rule is similar to the HIPAA right of access rule. PIPEDA requires organizations to do the following:

Rated #1 on G2

“Compliancy Group makes a highly complex process easy to understand.”

G2 Leader Fall 2024
  • When asked, advise individuals about the personal information about them that the organization holds.
  • Explain where the information was obtained. 
  • Explain how the organization is using the information, how the organization has previously used the information, and to whom the information has been disclosed. This requirement is similar to the HIPAA accounting of disclosures requirement. 
  • Give people access to the information at minimal or no cost, or explain the reasons for not providing access. This provision differs from HIPAA, which permits providers to charge for copies of medical records so long the fee is reasonable and cost-based.
  • Generally, an organization can only deny access when:
    • Disclosure would reveal personal information about someone else. However, if the information that relates to the third party can be severed or blacked out, an organization must provide the information to the requester with such information on third parties removed. This exemption does not apply if the third party consents to release of the information, or if the individual needs the information because somebody’s life, health, or security is threatened (this is similar to the HIPAA “emergency” exception).
    • The information is protected by solicitor-client privilege (the Canadian equivalent of the American attorney-client privilege).  
    • Disclosure of the information would reveal confidential commercial information. Organizations must, if they can reasonably do so, remove the confidential portions of the information, and give the requester access to the rest of his or her personal information.
    • Disclosure of the information could reasonably be expected to threaten the life or security of another individual. This exception is similar to the HIPAA exception that permits disclosure “to lessen a threat of serious and imminent harm to the health or safety of the patient or others.” 
    • The information was collected for purposes related to an investigation of a breach of an agreement or a contravention of the laws of Canada or a province, and it would be reasonable to expect that the individual’s knowledge of or consent for the collection would compromise the availability or accuracy of the information.This exception is similar to the HIPAA law enforcement exception.
    • The information was generated in the course of a formal dispute-resolution process.
    • The information was created for the purpose of making a disclosure under the Public Servants Disclosure Protection Act (commonly referred to as the whistleblower law), or in the course of an investigation into a disclosure under that Act.

What is PIPEDA Canada Privacy? Additional Access Rights

PIPEDA Canada privacy regulations give individuals additional access rights. These include the right to correct or amend personal information in cases where accuracy and completeness is deficient, upon an individual’s request. If the individual successfully shows that information is inaccurate or incomplete, it must be amended or corrected. Individuals also have the right to  have the amended information sent on to any parties to whom the organization may have disclosed the original information.