- 1. What are PIPEDA's Key Requirements?
- 2. Where Do Privacy Policies Come Into The Picture?
- 3.1. Contact Details
- 3.2. Access to Personal Information
- 3.3. How You Collect and Use Personal Information
- 3.4. Related Organizations
- 3.5. Related Documents
- 5. Summary
PIPEDA applies to most Canadian organizations who are handling personal information as part of a commercial activity. It doesn't cover somebody having a list of addresses for sending personal Christmas cards.
In most cases, charities, nonprofits and political parties or groups aren't covered by PIPEDA, unless they are using the data for a commercial activity that isn't related to their main purpose.
Most of the listed exemptions cover situations where another law applies and has similar requirements. For example, provincial laws apply in Alberta, British Columbia and Quebec. Several other provinces and territories have their own laws governing personal health information. These geographical exemptions only apply to business within the province or territory. Any interstate commerce comes under PIPEDA.
What are PIPEDA's Key Requirements?
If you're covered by PIPEDA, you must follow 10 "fair information principles" which can be summarized as follows:
- Accountability: You must appoint a dedicated data protection officer.
- Identifying Purposes: You must say why you are collecting personal information and how you'll use it.
- Consent: You must get permission before collecting, using or sharing somebody's personal information.
- Limiting Collection: You must only collect the personal information that is necessary for the stated purpose.
- Limiting Use, Disclosure, and Retention: You must only use or disclose personal information for the stated purposes and you can only keep it for as long as necessary to serve those purposes.
- Accuracy: You must keep the personal information accurate, complete and up-to-date.
- Safeguard: You must protect the personal information you possess. The level of security depends on how sensitive the personal information is.
- Openness: You must make details of your data handling policies public and easy to find.
- Individual Access: People can ask to see the personal information you hold about them and correct it if necessary.
- Challenging Compliance: People must have a way to complain if you don't follow these principles. If unresolved, these complaints can escalate to the Office of The Privacy Commissioner.
Where Do Privacy Policies Come Into The Picture?
"An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information."
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
Let's take a look at each one individually.
You must give the name and address of the person in your organization who is responsible for complying with PIPEDA. You must also give the name and address of the person to whom people can make complaints. In most cases the same person (a data protection officer) will fill both of these roles.
While the law only requires a name and address, for best practice you could include a phone number and/or an email address.
EY Law goes a step beyond mere contact details by explaining the responsibilities of its privacy officer:
Access to Personal Information
You must explain how people can access the personal information you hold about them. You must also explain how they can ask you to correct or delete inaccurate or outdated information.
CGI gives a concise but detailed explanation of how to exercise data access rights:
How You Collect and Use Personal Information
It's ok to list the general types of information you collect rather than a precise and comprehensive list, but don't be too broad with your categories. Remember that people should understand what information you collect.
The Office of the Privacy Commissioner gives the following examples of categories that strike a good balance between specific and broad:
- Dates of birth
- Identification numbers
- Video surveillance image
For each type of information you must list the reasons and purposes for which you collect and use it. You must also say which types of information you disclose, who it goes to, and why you disclose it.
Air Canada details specific purposes for using personal information:
Although PIPEDA does not specifically require this, it's good practice to say how long you intend to keep the personal information or how you will decide when to delete it. This gives the individual more context when deciding whether to give consent.
PIPEDA says you must tell people what information you share with related organizations. This could include a subsidiary of your company, or a sister organization with which you share a parent company. This means you can't simply assume it's "obvious" you will share data with this related organization.
Rogers Communications covers this point in its list of disclosures:
The precise wording of the law says you must make available "a copy of any brochures or other information that explain the organization's policies, standards, or codes."
Remember that people need enough information to make an informed decision to consent to data use. This means it wouldn't be appropriate to have a sign-up form on your website asking for personal information but ask users to get a pamphlet about your data handling through the mail or in person. The information needs to be available at the point you collect the personal information: in this case, on your website.
The precise wording of PIPEDA says you can present information "in a variety of ways." Examples given include:
- Brochures at your "place of business"
- Through the mail
- Through a toll-free phone number
You should organize your policy in clearly headed sections rather than as a continuous piece of text. Users should be able to quickly find the information they need to answer a specific question rather than read through the whole policy.
Royal Bank of Canada uses a combination of drop-down menus for users to access specific sections, and links to dedicated pages for people who want more detail:
PIPEDA says the information should be "in a form that is generally understandable." The Office of the Privacy Commissioner confirms you should use plain language rather than legalistic language where possible. You should also keep the policy as short as possible without missing out anything important.
August uses a particularly friendly and conversational tone while still covering the key legal points:
- PIPEDA applies to most Canadian organizations handling personal information as part of a commercial activity. The main exemptions are for locations or business types which are already covered by a law with similar measures.
- Contact details for your data protection officer (or equivalent position)
- Details of how people can exercise their data access rights
- Details of the types of personal information you collect and use
- How and why you use the personal information
- Who you share personal information with, including subsidiaries and other "related organizations."
- Use clear language and be as concise as possible while still making the information complete.