If your business operates in Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) regulates what you can do with the personal information you gather from your customers.

PIPEDA is a Canadian federal law that applies to businesses operating in the private sector.

The law regulates how:

  • Businesses collect personal and sensitive information
  • A business uses this personal information
  • Businesses operating in Canada disclose personal information

Chances are, if you're operating a business with customers, you're collecting their personal data. So, how do you comply with this law, and why does it exist in the first place?

Put simply, PIPEDA aims to strike a balance between commercial needs and personal freedom. It balances the need for business to gather information that helps them understand their customers against someone's right to privacy.

Why is this balance necessary? It's simple, really. Everyone wants to know:

  • Why they're sharing their data;
  • Where their information is stored;
  • What happens to this information; and
  • Who they can complain to if they're unhappy.

The bottom line is that personal information should only be used for the purposes for which it was collected, and individuals have the right to access the information you hold on them.

So, how does PIPEDA work, in practice?

Who PIPEDA Applies To

Who PIPEDA Applies To

In a nutshell, PIPEDA applies to:

  • A business
  • Federally regulated in Canada
  • Collecting, using, or distributing personal information
  • In the course of commercial activity

Let's break down who the Act applies to in more detail, and what the exceptions are.

Businesses Falling Under The Scope of PIPEDA

Private organizations based in Canada fall under PIPEDA's scope unless the organization is based in:

  • Alberta;
  • British Columbia; or
  • Quebec

Organizations based in any of these three provinces, so long as they operate solely within the province, are exempt from PIPEDA. Why? Because these provinces have robust privacy laws that are very similar to PIPEDA, anyway.

Otherwise, any private sector business undertaking commercial activity in Canada should be aware that PIPEDA affects them.

Are You In The Private Sector?

Just what is the "private" sector, anyway? Private sector companies are run by individuals, or groups, who want to make a profit. They're very rarely under direct government control.

Private sector companies include businesses of all sizes:

  • Sole proprietors and the self-employed, such as tradesmen
  • Partnerships, such as dental surgeries
  • Small and medium-sized enterprises
  • Even large-scale, multinational companies

So, now you've established that PIPEDA applies to your business. The next step is identifying the customer information you can obtain and store.

What Is "Personal" Information?

What Is

Personal information is anything that can be used to clearly identify an individual. Personal information includes (but isn't limited to):

  • Name, age, date of birth, ID numbers
  • Blood type, ethnicity, DNA, and medical history
  • Income details, employee records, and employment details
  • Marital and social status
  • Disciplinary records
  • Loan and credit application details

We recommend erring on the side of caution - if you suspect it's personal data, treat it as such.

Is Any Personal Information Exempt?

You're probably wondering if it's ever possible to collect personal information without PIPEDA's oversight. What about addresses for greeting cards, for example?

Don't worry. PIPEDA doesn't apply in every situation.

Canadian law ensures that PIPEDA does not apply when:

  • You collect data solely for personal use, such as names and addresses for a personal greeting card list
  • You use the data solely for a literary, journalistic, or artistic purpose
  • The information is being handled by a federal government organization, local or provincial governments, or their agents - these are regulated by the Privacy Act instead
  • You're using the data purely to communicate with an employee about their job and for no other purpose - for example, an employment contract

What makes these situations different? Why doesn't PIPEDA apply?

It doesn't apply because there's no commercial element.

PIPEDA and Commercial Activity

Just what do we mean by "commercial" activity?

Commercial activities are hard to define. Put simply, it's a commercial activity if it involves actions or transactions with a commercial purpose.

For example, it's a commercial activity when you sell something, lease something, or purchase something. It also includes things such as membership lists for fundraising purposes, and bartering.

As soon as there's a commercial goal, or a goal of making money, it's a commercial activity.

What Is Required Under PIPEDA?

What Is Required Under PIPEDA?

Now you know who PIPEDA applies to - a private sector business, in Canada, handling personal information in a commercial way. Now you're probably wondering how it applies.

Simply put, organizations must ensure that they have someone's consent to collect, use, or disclose their personal information. People want to know how their information is being used.

PIPEDA regulates data collection, use, and disclosure through the 10 Privacy Principles of PIPEDA.

The 10 Privacy Principles of PIPEDA

Also known as the "fair information principles," these guidelines are a vital part of PIPEDA. They establish the key rules that organizations under PIPEDA's jurisdiction must follow.

The basic premise behind the principles is the idea that information can only be collected, used, and distributed in a reasonable way. This means that you can only use, collect, or share information in ways that a reasonable person would agree are necessary in the circumstances.

So, for example, if you're building a fundraising membership list, do you need to know someone's blood type or their ethnicity? No, you don't. This would be an unreasonable collection of information because it's above what's necessary to fulfill a specified purpose.

The principles are:

  • Accountability
  • Identifying Purposes
  • Consent
  • Limiting Collection
  • Limiting Use, Disclosure and Retention
  • Accuracy
  • Safeguards
  • Openness
  • Individual Access
  • Challenging Compliance

1. Accountability

A business must appoint someone who's accountable for complying with the rules. This person is generally called the Chief Privacy Officer (CPO).

2. Identifying Purposes

There must be a reason why you're collecting certain data. A business should clearly communicate this purpose to the individual so the person knows why they are supplying the information. This can be done with a Privacy Policy.

Here's an example of a simple clause in GoPro's Privacy Policy that lets people know what information is collected and why:

GoPro Privacy Policy: GoPro Devices - Information collected clause

You can't obtain, use, or disclose personal information without consent. The individual whose data you handle must consent in full knowledge to whatever you do with their data.

Here's an example of how Jetpack gets consent from individuals when it comes to the types of emails it sends. It uses checkboxes and provides a short explanation of each type of email. This lets customers know how their email addresses will be used and consent explicitly to each use:

Jetpack Privacy Policy: Email updates consent form

4. Limiting Collection

It's vital that businesses limit the scope of the data handled to only what is necessary for an identifiable purpose. This goes back to the earlier example - collect only what data you need, and no more than that.

5. Limiting Use, Disclosure and Retention

A business must:

  • Use the information for a set purpose;
  • Keep and store the data for no longer than necessary; and
  • Obtain consent whenever they use this information for a new purpose

There are very few circumstances in which these rules do not apply, and they're all covered by Canadian law.

6. Accuracy

The personal information you gather must be accurate and complete, so far as possible. You need to make efforts to keep it accurate, such as when a customer updates an email address with you.

7. Safeguards

Very importantly, businesses must ensure there are proper processes in place to keep personal information safe. Information should be safe from, for example, cyber attacks or intrusions.

8. Openness

In a nutshell, someone who trusts you with their personal information should be able to see why you need it. Your data collection and protection policies should be easily accessible, and it should be clear who someone can complain to if they have any queries.

9. Individual Access

When an individual asks to see what information is held on them, or they ask for you to delete it, you must comply.

10. Challenging Compliance

It might be obvious by now, but any individual whose data you hold can make a complaint if they believe you're mishandling their information. They have a right to complain to your CPO in the first instance.

Recap

Before we look at how you can comply with PIPEDA, it's worth recapping everything we've covered so far.

A private sector organization using, collecting, or storing someone's personal information, during the course of any commercial activity, is regulated by PIPEDA.

  • You can only use, store, and distribute this information for a clear and specific purpose
  • The individuals have a right to know what data you hold on them
  • People have the right to amend their data and ask that you delete it
  • If you hold personal information covered by PIPEDA, you must appoint someone to ensure you comply with the Act
  • You must be transparent at all times

Ensuring Compliance With PIPEDA

Ensuring Compliance With PIPEDA

It's crucial that you comply with what's expected of you under PIPEDA.

PIPEDA doesn't set out specific compliance rules, but here are some official tips to make compliance easier.

Know The Offences

Under PIPEDA, it's an offense to:

  • Erase or destroy personal information, requested by an individual, before you give it to them
  • Obstruct any investigations
  • Attack an employee for complaining about compliance shortcomings, or treat them unfairly because they refuse to breach their obligations under the Act

Train Your Staff

Staff must know how to look after data entrusted to the organization. It's on you as the business owner to properly train and educate staff on PIPEDA and how it applies to your company.

Importantly, staff should know where to direct any questions about data use and storage, and they should know who your CPO is.

Use Appropriate Security Measures

All personal information is potentially sensitive. Keep hard copies securely locked away, and ensure you have the latest anti-virus and cybersecurity package installed on your IT systems to minimize the chances of a cyber attack.

Be Clear About What is Optional

Make sure individuals know what information you don't need. For example, you don't need a person's Social Insurance Number (SIN) unless there is a specific legal requirement. You don't need a copy of their driver's license, either.

Video surveillance is a big one. Any surveillance is personal information. Only capture this data if you must. Make it clear that videos are recording and that individuals can withdraw their consent to this at any time.

When There is a Data Breach

When There is a Data Breach

Sometimes, no matter how careful you are, there's a data breach.

PIPEDA provides that you must report any data breach to the Privacy Commissioner of Canada if:

  • The breach compromises personal information; and
  • The unauthorized access, or the data loss, puts an individual at significant risk of harm.

Put simply, a breach involves anything which is unauthorized. This can be, for example, unauthorized disclosure of someone's name, or an employee's unauthorized access to personal records.

You're at fault under PIPEDA if you haven't established safeguards to protect data, or if these safeguards fail.

But what is "significant" enough that it must be reported to the PCC?

Significant Risk of Harm

An individual is at risk of serious harm, within the meaning of PIPEDA, if any of the following may occur as a result of the breach:

  • Mutilation
  • Grievous physical harm
  • Severe financial hardship or loss
  • Identity theft
  • Loss of opportunities, including employment opportunities
  • Credit record damage
  • Property damage

Breaches are assessed on a case-by-case basis. To protect your business, ensure you only collect the data you need and keep your security up to date.

Most importantly, never fail to report a significant breach - this failure can result in fines of up to $100,000!

Summary

PIPEDA, like similar privacy regulations around the world, aims to balance commercial marketplace realities against someone's right to privacy. Abiding by the 10 Principles set out in PIPEDA is the easiest way to comply with your responsibilities.

A top tip is to collect the bare minimum personal information you need for a clear and specific purpose. Be transparent and keep your customers fully informed of how their data's used, and get consent whenever the usage, collection, or handling changes.

Have a Privacy Policy that discloses your collection and use of personal information. Also disclose how your customers can contact you with questions or issues regarding their information.