If you handle personal information for business purposes in Canada, you will likely need to follow a federal law called the Personal Information Protection and Electronic Documents Act (PIPEDA). One of PIPEDA's requirements is that you must give specific information to individuals about how you handle their personal information. This will normally be in the form of a Privacy Policy.
Here's what you need to know about creating a Privacy Policy that satisfies PIPEDA requirements.
- 1. What are PIPEDA's Key Requirements?
- 2. Where Do Privacy Policies Come Into The Picture?
- 3. What Should Be In My PIPEDA Privacy Policy?
- 3.1. Contact Details
- 3.2. Access to Personal Information
- 3.3. How You Collect and Use Personal Information
- 3.4. Related Organizations
- 3.5. Related Documents
- 4. How Should I Present my Privacy Policy?
- 5. Summary
PIPEDA applies to most Canadian organizations who are handling personal information as part of a commercial activity. It doesn't cover somebody having a list of addresses for sending personal Christmas cards.
In most cases, charities, nonprofits and political parties or groups aren't covered by PIPEDA, unless they are using the data for a commercial activity that isn't related to their main purpose.
Most of the listed exemptions cover situations where another law applies and has similar requirements. For example, provincial laws apply in Alberta, British Columbia and Quebec. Several other provinces and territories have their own laws governing personal health information. These geographical exemptions only apply to business within the province or territory. Any interstate commerce comes under PIPEDA.
What are PIPEDA's Key Requirements?
If you're covered by PIPEDA, you must follow 10 "fair information principles" which can be summarized as follows:
- Accountability: You must appoint a dedicated data protection officer.
- Identifying Purposes: You must say why you are collecting personal information and how you'll use it.
- Consent: You must get permission before collecting, using or sharing somebody's personal information.
- Limiting Collection: You must only collect the personal information that is necessary for the stated purpose.
- Limiting Use, Disclosure, and Retention: You must only use or disclose personal information for the stated purposes and you can only keep it for as long as necessary to serve those purposes.
- Accuracy: You must keep the personal information accurate, complete and up-to-date.
- Safeguard: You must protect the personal information you possess. The level of security depends on how sensitive the personal information is.
- Openness: You must make details of your data handling policies public and easy to find.
- Individual Access: People can ask to see the personal information you hold about them and correct it if necessary.
- Challenging Compliance: People must have a way to complain if you don't follow these principles. If unresolved, these complaints can escalate to the Office of The Privacy Commissioner.
Where Do Privacy Policies Come Into The Picture?
Although the term "Privacy Policy" does not appear in the legal text of PIPEDA, the law does state that:
"An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information."
The Office of the Privacy Commissioner gives clear guidance that this information is best conveyed in a dedicated Privacy Policy.
Having a clear Privacy Policy will also help to satisfy the principle of consent. The law says this consent must be meaningful, which means that you have a reasonable expectation that customers understand how and why you are using their personal information.
What Should Be In My PIPEDA Privacy Policy?
PIPEDA lists five specific types of information that you must make available, usually through a Privacy Policy.
Our Free Privacy Policy Generator helps you create a custom Privacy Policy for your website and mobile app. Just follow these few simple steps and your Privacy Policy will be ready to display in minutes.
- Click on the "Free Privacy Policy Generator" button, located at the top of the website.
- Select where your Privacy Policy will be used:
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
- Continue with building your Privacy Policy while answering on questions from our wizard:
-
Almost done. Now enter your email address where you'd like your new Privacy Policy sent and click on the "Generate" button and you're done.
That's it. Now you can copy and paste your Privacy Policy code into your website, or link to your hosted Privacy Policy.
Let's take a look at each one individually.
Contact Details
You must give the name and address of the person in your organization who is responsible for complying with PIPEDA. You must also give the name and address of the person to whom people can make complaints. In most cases the same person (a data protection officer) will fill both of these roles.
While the law only requires a name and address, for best practice you could include a phone number and/or an email address.
EY Law goes a step beyond mere contact details by explaining the responsibilities of its privacy officer:
Access to Personal Information
You must explain how people can access the personal information you hold about them. You must also explain how they can ask you to correct or delete inaccurate or outdated information.
CGI gives a concise but detailed explanation of how to exercise data access rights:
How You Collect and Use Personal Information
Your Privacy Policy should include an overview of what types of personal information you collect and how you use it.
It's ok to list the general types of information you collect rather than a precise and comprehensive list, but don't be too broad with your categories. Remember that people should understand what information you collect.
The Office of the Privacy Commissioner gives the following examples of categories that strike a good balance between specific and broad:
- Cookies
- Dates of birth
- Identification numbers
- Video surveillance image
For each type of information you must list the reasons and purposes for which you collect and use it. You must also say which types of information you disclose, who it goes to, and why you disclose it.
Air Canada details specific purposes for using personal information:
Although PIPEDA does not specifically require this, it's good practice to say how long you intend to keep the personal information or how you will decide when to delete it. This gives the individual more context when deciding whether to give consent.
Related Organizations
PIPEDA says you must tell people what information you share with related organizations. This could include a subsidiary of your company, or a sister organization with which you share a parent company. This means you can't simply assume it's "obvious" you will share data with this related organization.
Rogers Communications covers this point in its list of disclosures:
Related Documents
The precise wording of the law says you must make available "a copy of any brochures or other information that explain the organization's policies, standards, or codes."
Normally this is covered by the Privacy Policy itself. If you do have a separate publication, for example a pamphlet that goes into more detail, you should link to this from the Privacy Policy.
Remember that people need enough information to make an informed decision to consent to data use. This means it wouldn't be appropriate to have a sign-up form on your website asking for personal information but ask users to get a pamphlet about your data handling through the mail or in person. The information needs to be available at the point you collect the personal information: in this case, on your website.
How Should I Present my Privacy Policy?
The precise wording of PIPEDA says you can present information "in a variety of ways." Examples given include:
- Brochures at your "place of business"
- Through the mail
- Through a toll-free phone number
- Online
The Office of the Privacy Commissioner recommends that you put the Privacy Policy on your website, link to it from your home page, and include a prominent link whenever you are about to collect data or ask the user to make a decision that involves their personal information.
You should organize your policy in clearly headed sections rather than as a continuous piece of text. Users should be able to quickly find the information they need to answer a specific question rather than read through the whole policy.
Royal Bank of Canada uses a combination of drop-down menus for users to access specific sections, and links to dedicated pages for people who want more detail:
PIPEDA says the information should be "in a form that is generally understandable." The Office of the Privacy Commissioner confirms you should use plain language rather than legalistic language where possible. You should also keep the policy as short as possible without missing out anything important.
August uses a particularly friendly and conversational tone while still covering the key legal points:
Make sure you have trained your staff in how to deal with queries about privacy issues. They will need to know where users can access your Privacy Policy. They'll also need to be able to explain what happens when a user makes a data access request.
Summary
Let's recap what you need to know and do to comply with PIPEDA's Privacy Policy rules.
- PIPEDA applies to most Canadian organizations handling personal information as part of a commercial activity. The main exemptions are for locations or business types which are already covered by a law with similar measures.
- Under PIPEDA you must follow 10 fair information principles. A Privacy Policy to satisfy the openness principle. It will also help with the consent principle.
-
Your Privacy Policy must include:
- Contact details for your data protection officer (or equivalent position)
- Details of how people can exercise their data access rights
- Details of the types of personal information you collect and use
- How and why you use the personal information
- Who you share personal information with, including subsidiaries and other "related organizations."
- The best way to present a Privacy Policy is on your website, with clear links from the homepage and at any point where you are collecting personal information.
- Use clear language and be as concise as possible while still making the information complete.