If your business operates in Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) regulates what you can do with the personal information you gather from your customers.
PIPEDA is a Canadian federal law that applies to businesses operating in the private sector.
The law regulates how:
- Businesses collect personal and sensitive information
- A business uses this personal information
- Businesses operating in Canada disclose personal information
Chances are, if you're operating a business with customers, you're collecting their personal data. So, how do you comply with this law, and why does it exist in the first place?
- 1. Who PIPEDA Applies To
- 2. Businesses Falling Under The Scope of PIPEDA
- 2.1. Are You In The Private Sector?
- 3. What Is "Personal" Information?
- 3.1. Is Any Personal Information Exempt?
- 4. PIPEDA and Commercial Activity
- 5. What Is Required Under PIPEDA?
- 5.1. The 10 Privacy Principles of PIPEDA
- 5.2. 1. Accountability
- 5.3. 2. Identifying Purposes
- 5.4. 3. Consent
- 5.5. 4. Limiting Collection
- 5.6. 5. Limiting Use, Disclosure and Retention
- 5.7. 6. Accuracy
- 5.8. 7. Safeguards
- 5.9. 8. Openness
- 5.10. 9. Individual Access
- 5.11. 10. Challenging Compliance
- 6. Recap
- 7. Ensuring Compliance With PIPEDA
- 7.1. Know The Offences
- 7.2. Train Your Staff
- 7.3. Use Appropriate Security Measures
- 7.4. Be Clear About What is Optional
- 8. When There is a Data Breach
- 8.1. Significant Risk of Harm
- 9. Summary
Put simply, PIPEDA aims to strike a balance between commercial needs and personal freedom. It balances the need for business to gather information that helps them understand their customers against someone's right to privacy.
Why is this balance necessary? It's simple, really. Everyone wants to know:
- Why they're sharing their data;
- Where their information is stored;
- What happens to this information; and
- Who they can complain to if they're unhappy.
The bottom line is that personal information should only be used for the purposes for which it was collected, and individuals have the right to access the information you hold on them.
So, how does PIPEDA work, in practice?
Who PIPEDA Applies To
In a nutshell, PIPEDA applies to:
- A business
- Federally regulated in Canada
- Collecting, using, or distributing personal information
- In the course of commercial activity
Let's break down who the Act applies to in more detail, and what the exceptions are.
Businesses Falling Under The Scope of PIPEDA
Private organizations based in Canada fall under PIPEDA's scope unless the organization is based in:
- British Columbia; or
Organizations based in any of these three provinces, so long as they operate solely within the province, are exempt from PIPEDA. Why? Because these provinces have robust privacy laws that are very similar to PIPEDA, anyway.
Otherwise, any private sector business undertaking commercial activity in Canada should be aware that PIPEDA affects them.
Are You In The Private Sector?
Just what is the "private" sector, anyway? Private sector companies are run by individuals, or groups, who want to make a profit. They're very rarely under direct government control.
Private sector companies include businesses of all sizes:
- Sole proprietors and the self-employed, such as tradesmen
- Partnerships, such as dental surgeries
- Small and medium-sized enterprises
- Even large-scale, multinational companies
So, now you've established that PIPEDA applies to your business. The next step is identifying the customer information you can obtain and store.
What Is "Personal" Information?
Personal information is anything that can be used to clearly identify an individual. Personal information includes (but isn't limited to):
- Name, age, date of birth, ID numbers
- Blood type, ethnicity, DNA, and medical history
- Income details, employee records, and employment details
- Marital and social status
- Disciplinary records
- Loan and credit application details
We recommend erring on the side of caution - if you suspect it's personal data, treat it as such.
Is Any Personal Information Exempt?
You're probably wondering if it's ever possible to collect personal information without PIPEDA's oversight. What about addresses for greeting cards, for example?
Don't worry. PIPEDA doesn't apply in every situation.
Canadian law ensures that PIPEDA does not apply when:
- You collect data solely for personal use, such as names and addresses for a personal greeting card list
- You use the data solely for a literary, journalistic, or artistic purpose
- The information is being handled by a federal government organization, local or provincial governments, or their agents - these are regulated by the Privacy Act instead
- You're using the data purely to communicate with an employee about their job and for no other purpose - for example, an employment contract
What makes these situations different? Why doesn't PIPEDA apply?
It doesn't apply because there's no commercial element.
PIPEDA and Commercial Activity
Just what do we mean by "commercial" activity?
Commercial activities are hard to define. Put simply, it's a commercial activity if it involves actions or transactions with a commercial purpose.
For example, it's a commercial activity when you sell something, lease something, or purchase something. It also includes things such as membership lists for fundraising purposes, and bartering.
As soon as there's a commercial goal, or a goal of making money, it's a commercial activity.
What Is Required Under PIPEDA?
Now you know who PIPEDA applies to - a private sector business, in Canada, handling personal information in a commercial way. Now you're probably wondering how it applies.
Simply put, organizations must ensure that they have someone's consent to collect, use, or disclose their personal information. People want to know how their information is being used.
PIPEDA regulates data collection, use, and disclosure through the 10 Privacy Principles of PIPEDA.
The 10 Privacy Principles of PIPEDA
Also known as the "fair information principles," these guidelines are a vital part of PIPEDA. They establish the key rules that organizations under PIPEDA's jurisdiction must follow.
The basic premise behind the principles is the idea that information can only be collected, used, and distributed in a reasonable way. This means that you can only use, collect, or share information in ways that a reasonable person would agree are necessary in the circumstances.
So, for example, if you're building a fundraising membership list, do you need to know someone's blood type or their ethnicity? No, you don't. This would be an unreasonable collection of information because it's above what's necessary to fulfill a specified purpose.
The principles are:
- Identifying Purposes
- Limiting Collection
- Limiting Use, Disclosure and Retention
- Individual Access
- Challenging Compliance
A business must appoint someone who's accountable for complying with the rules. This person is generally called the Chief Privacy Officer (CPO).
2. Identifying Purposes
You can't obtain, use, or disclose personal information without consent. The individual whose data you handle must consent in full knowledge to whatever you do with their data.
Here's an example of how Jetpack gets consent from individuals when it comes to the types of emails it sends. It uses checkboxes and provides a short explanation of each type of email. This lets customers know how their email addresses will be used and consent explicitly to each use:
4. Limiting Collection
It's vital that businesses limit the scope of the data handled to only what is necessary for an identifiable purpose. This goes back to the earlier example - collect only what data you need, and no more than that.
5. Limiting Use, Disclosure and Retention
A business must:
- Use the information for a set purpose;
- Keep and store the data for no longer than necessary; and
- Obtain consent whenever they use this information for a new purpose
There are very few circumstances in which these rules do not apply, and they're all covered by Canadian law.
The personal information you gather must be accurate and complete, so far as possible. You need to make efforts to keep it accurate, such as when a customer updates an email address with you.
Very importantly, businesses must ensure there are proper processes in place to keep personal information safe. Information should be safe from, for example, cyber attacks or intrusions.
In a nutshell, someone who trusts you with their personal information should be able to see why you need it. Your data collection and protection policies should be easily accessible, and it should be clear who someone can complain to if they have any queries.
9. Individual Access
When an individual asks to see what information is held on them, or they ask for you to delete it, you must comply.
10. Challenging Compliance
It might be obvious by now, but any individual whose data you hold can make a complaint if they believe you're mishandling their information. They have a right to complain to your CPO in the first instance.
Before we look at how you can comply with PIPEDA, it's worth recapping everything we've covered so far.
A private sector organization using, collecting, or storing someone's personal information, during the course of any commercial activity, is regulated by PIPEDA.
- You can only use, store, and distribute this information for a clear and specific purpose
- The individuals have a right to know what data you hold on them
- People have the right to amend their data and ask that you delete it
- If you hold personal information covered by PIPEDA, you must appoint someone to ensure you comply with the Act
- You must be transparent at all times
Ensuring Compliance With PIPEDA
It's crucial that you comply with what's expected of you under PIPEDA.
PIPEDA doesn't set out specific compliance rules, but here are some official tips to make compliance easier.
Know The Offences
Under PIPEDA, it's an offense to:
- Erase or destroy personal information, requested by an individual, before you give it to them
- Obstruct any investigations
- Attack an employee for complaining about compliance shortcomings, or treat them unfairly because they refuse to breach their obligations under the Act
Train Your Staff
Staff must know how to look after data entrusted to the organization. It's on you as the business owner to properly train and educate staff on PIPEDA and how it applies to your company.
Importantly, staff should know where to direct any questions about data use and storage, and they should know who your CPO is.
Use Appropriate Security Measures
All personal information is potentially sensitive. Keep hard copies securely locked away, and ensure you have the latest anti-virus and cybersecurity package installed on your IT systems to minimize the chances of a cyber attack.
Be Clear About What is Optional
Make sure individuals know what information you don't need. For example, you don't need a person's Social Insurance Number (SIN) unless there is a specific legal requirement. You don't need a copy of their driver's license, either.
Video surveillance is a big one. Any surveillance is personal information. Only capture this data if you must. Make it clear that videos are recording and that individuals can withdraw their consent to this at any time.
When There is a Data Breach
Sometimes, no matter how careful you are, there's a data breach.
PIPEDA provides that you must report any data breach to the Privacy Commissioner of Canada if:
- The breach compromises personal information; and
- The unauthorized access, or the data loss, puts an individual at significant risk of harm.
Put simply, a breach involves anything which is unauthorized. This can be, for example, unauthorized disclosure of someone's name, or an employee's unauthorized access to personal records.
You're at fault under PIPEDA if you haven't established safeguards to protect data, or if these safeguards fail.
But what is "significant" enough that it must be reported to the PCC?
Significant Risk of Harm
An individual is at risk of serious harm, within the meaning of PIPEDA, if any of the following may occur as a result of the breach:
- Grievous physical harm
- Severe financial hardship or loss
- Identity theft
- Loss of opportunities, including employment opportunities
- Credit record damage
- Property damage
Breaches are assessed on a case-by-case basis. To protect your business, ensure you only collect the data you need and keep your security up to date.
Most importantly, never fail to report a significant breach - this failure can result in fines of up to $100,000!
PIPEDA, like similar privacy regulations around the world, aims to balance commercial marketplace realities against someone's right to privacy. Abiding by the 10 Principles set out in PIPEDA is the easiest way to comply with your responsibilities.
A top tip is to collect the bare minimum personal information you need for a clear and specific purpose. Be transparent and keep your customers fully informed of how their data's used, and get consent whenever the usage, collection, or handling changes.