What is PIPEDA Compliance Canada? Data Regulated by the Law
PIPEDA in Canada regulates the use, collection, and disclosure of individuals’ personal information. Under the law, personal information includes any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form, such as:
- Age, name, ID numbers, income, ethnic origin, or blood type.
- Employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, and intentions (for example, to acquire goods or services, or change jobs).
- Credit card and bank account numbers.
What is PIPEDA Compliance Canada? The Geographic Scope of PIPEDA
PIPEDA applies to federally regulated private-sector organizations across Canada that collect, use, or disclose personal information in the course of a commercial activity. These organizations need not have Canada as their headquarters. As long as a business collects, uses, or discloses personal information of Canadians, that business “operates” in Canada.
All businesses that operate in Canada and handle personal information that crosses provincial or national borders in the course of commercial activities, are subject to PIPEDA. This is so regardless of the province or territory in which the business is based, and regardless of whether the province in which a business is based has its own, substantially similar legislation regarding data privacy.
How are Businesses Regulated Under PIPEDA?
Under PIPEDA, businesses must follow ten fair information principles to protect personal information. These ten principles are:
- Accountability. This principle requires that an organization appoint someone to be responsible for its organization’s PIPEDA compliance. The principle also requires an organization to protect all personal information it holds, including any personal information it transfers to a third party for processing. Under the accountability principle, organizations must develop and implement personal information policies and practices.
- Identifying Purposes. This principle requires organizations to identify and document their purposes for collecting personal information. Organizations must tell their customers why the organization needs their personal information before or at the time of collection.
- Consent. Organizations must obtain meaningful and valid consent to collection, use, and disclosure of personal information.
- Limiting Collection. Organizations must collect only the personal information needed to fulfill a legitimate identified purpose.
- Limiting Use, Disclosure, and Retention. Under this principle, unless someone consents otherwise, or unless doing so is required by law, an organization may use or disclose personal information only for the identified purposes for which it was collected. Personal information may only be kept for as long as it is needed to serve those purposes.
- Accuracy. An organization must minimize the possibility of using incorrect information when making a decision about an individual or when disclosing information to third parties.
- Safeguards. This principle requires businesses to protect personal information in a way that is appropriate to how sensitive it is. Under PIPEDA, businesses must protect all personal information (regardless of how it is stored) against loss, theft, or any unauthorized access, disclosure, copying, use, or modification.
- Openness. This principle requires that an organization’s detailed personal information management practices be clear, easy to understand, and readily available to residents.
- Individual Access. Generally speaking, individuals have a right to access the personal information that an organization holds about them. They also have the right to challenge the accuracy and completeness of the information, and have that information amended as appropriate.
- Challenging Compliance. PIPEDA requires Canadian residents challenging a business’s data collection, use, and disclosure policy to address the challenge to the business’s PIPEDA compliance officer.