What is PIPEDA Compliance Canada?

The Personal Information Protection and Electronic Documents Act, or PIPEDA, is a Canadian federal law. The law regulates how private companies operating in Canada can gather, use, and disclose personal data. You might be wondering, what is PIPEDA? PIPEDA compliance Canada is discussed in greater detail below.

What is PIPEDA Compliance Canada? Entities Covered by the Law

PIPEDA Compliance Canada

PIPEDA applies to private-sector organizations operating in Canada that collect, use, or disclose personal information in the course of a commercial activity. Certain private-sector organizations are heavily regulated by the Canadian government. 

These organizations are called Federal Works, Undertakings or Businesses (FWUBs), and are regulated by PIPEDA like any other private-sector organization. FWUBs include:

  • Airports, aircraft and airlines;
  • Banks and authorized foreign banks;
  • Inter-provincial or international transportation companies;
  • Telecommunications companies;
  • Offshore drilling operations; and
  • Radio and television broadcasters.

The law also applies to foreign (outside of Canada) organizations that collect, use, or disclose personal information of Canadian citizens in the course of a commercial activity.

Want to learn more about Canadian data privacy compliance? Click here 

The law defines a commercial activity as any particular transaction, act, or conduct, or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.

What is PIPEDA Compliance Canada? Data Regulated by the Law

PIPEDA regulates the use, collection, and disclosure of individuals’ personal information. Under the law, personal information includes any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form, such as:

  • Age, name, ID numbers, income, ethnic origin, or blood type.
  • Employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, and intentions (for example, to acquire goods or services, or change jobs).
  • Credit card and bank account numbers.

What is PIPEDA Compliance Canada? The Geographic Scope of PIPEDA

PIPEDA applies to federally regulated private-sector organizations across Canada that collect, use, or disclose personal information in the course of a commercial activity. These organizations need not have Canada as their headquarters. As long as a business collects, uses, or discloses personal information of Canadians, that business “operates” in Canada.

All businesses that operate in Canada and handle personal information that crosses provincial or national borders in the course of commercial activities, are subject to PIPEDA. This is so regardless of the province or territory in which the business is based, and regardless of whether the province in which a business is based has its own, substantially similar legislation regarding data privacy.

How are Businesses Regulated Under PIPEDA?

Under PIPEDA, businesses must follow ten fair information principles to protect personal information. These ten principles are:

  1. Accountability. This principle requires that an organization appoint someone to be responsible for its organization’s PIPEDA compliance. The principle also requires an organization to protect all personal information it holds, including any personal information it transfers to a third party for processing. Under the accountability principle, organizations must develop and implement personal information policies and practices.
  2. Identifying Purposes. This principle requires organizations to identify and document their purposes for collecting personal information. Organizations must tell their customers why the organization needs their personal information before or at the time of collection.
  3. Consent. Organizations must obtain meaningful and valid consent to collection, use, and disclosure of personal information.
  4. Limiting Collection. Organizations must collect only the personal information needed to fulfill a legitimate identified purpose.
  5. Limiting Use, Disclosure, and Retention. Under this principle, unless someone consents otherwise, or unless doing so is required by law, an organization may use or disclose personal information only for the identified purposes for which it was collected. Personal information may only be kept for as long as it is needed to serve those purposes.
  6. Accuracy. An organization must minimize the possibility of using incorrect information when making a decision about an individual or when disclosing information to third parties.
  7. Safeguards. This principle requires businesses to protect personal information in a way that is appropriate to how sensitive it is. Under PIPEDA, businesses must protect all personal information (regardless of how it is stored) against loss, theft, or any unauthorized access, disclosure, copying, use, or modification.
  8. Openness. This principle requires that an organization’s detailed personal information management practices be clear, easy to understand, and readily available to residents. 
  9. Individual Access. Generally speaking, individuals have a right to access the personal information that an organization holds about them. They also have the right to challenge the accuracy and completeness of the information, and have that information amended as appropriate.
  10. Challenging Compliance. PIPEDA requires Canadian residents challenging a business’s data collection, use, and disclosure policy to address the challenge to the business’s PIPEDA compliance officer.