What is PIPEDA? (Canada’s Privacy Law Explained)
What is PIPEDA? If you are not familiar with Canada's data protection law, then PIPEDA may not ring a bell for you.
PIPEDA is a collection of data-protection laws that were made to give Canadian citizens the right to access their personal information, restrict a business's use of data outside its purposes, and much more.
If you have a business that is under the jurisdiction of the PIPEDA, then you won't want to miss this, as we will cover the key points and principles to help your business operate under its regulations.
Let's dive in.
Key Takeaways
- The PIPEDA privacy law gives all its Canadian citizens basic data protection rights, such as access to personal information files, a requirement to be notified of data breaches, and more.
- The PIPEDA contains ten key principles that govern its regulations. Businesses must know all these principles and have compliance services ready in order to address each one.
- Implementing the right policy for PIPEDA compliance can be tricky for some businesses. Following a guideline as well as key principles, such as the implementation of security safeguards and working with the DPO, can significantly help your business become more compliant.
What is PIPEDA?
PIPEDA, also known as the Personal Information Protection and Electronic Document Act, is a privacy law in Canada that regulates and governs the act of data collection and its uses by businesses.
PIPEDA was established on April 13th, 2000, and it affects all businesses within Cananda’s jurisdiction, along with businesses that process the personal information of Canadians. It mandates that all businesses follow privacy law regulations and offer compliance services to their customers.
The Purpose of PIPEDA was to address privacy concerns that were being caused by businesses that were collecting personal information without the consent of their subjects. This privacy act enforces that businesses run on fair and legal grounds and must ask for the subject's consent before moving toward data collection.
PIPEDA Effective Date
PIPEDA was first introduced on April 13, 2000, but it did not come into full play until January 1, 2001. PIPEDA received its first amendment in 2004, which expanded the privacy rules that businesses had to follow in order to be compliant.
The last major amendment for PIPEDA was in November 2020, with the addition of Bill C-11.
This bill made the Consumer Privacy Protection Act and the Personal Information and Data Tribunal Act violation punishments more severe for businesses.
The purpose of the inclusion of the PIPEDA and its amendments over time was to adapt to the evolving world of data privacy. The new amendments were made to help keep up with the new practices and methods of how commercial businesses collect personal data and restrict them unless the data subject’s consent.
It is essential for businesses to follow the PIPEDA to avoid fines of up to 100,000 CAD per violation and loss of reputation by consumers.
Who is Covered Under PIPEDA?
The PIPEDA requires that all private-sector Canadian businesses and businesses that process Canadian personal data comply with the PIPEDA.
Every Canadian citizen has data subject rights under the PIPEDA. Some of those rights involve the right to access personal and sensitive information, as well as the right to correct/limit the right to deletion of data.
That means that all businesses that are privately owned and engage in commercial purposes must follow the data protection laws. Any non-profit business that has engaged in any commercial activities must also comply with this law.
Exemptions
Not all Canadian organizations are mandated by PIPEDA’s privacy law. There are some certain exemptions to business that PIPEDA does allow for.
For example, some private sectors, such as Alberta, British Columbia, and Quebec, are exempted from this law if they comply with provincial privacy laws.
The reason why they have been granted permission to follow their own privacy legislation is because it is very similar to PIPEDA’s regulation, and having to follow multiple similar laws would cause more hassle than good.
Other businesses exempted are certain healthcare providers and other federally-regulated businesses, such as banks, airports, and telecommunications companies.
10 PIPEDA Principles
The PIPEDA consists of ten principles that regulate the data protection laws in Canada. Below is an explanation of what each principle is and how it affects businesses in their compliance with the PIPEDA.
1. Accountability
All businesses and organizations under the PIPEDA must be accountable for the handling of personal and sensitive information of their data subjects.
In order for a business to be responsible, an individual with the right criteria must be appointed to become a DPO to ensure that the business is compliant. There can be multiple DPOs if the business feels that it needs more than one individual to ensure proper guidance.
2. Identify Purposes
All businesses under the PIPEDA must know what and why they are pursuing the collection of personal data at the time or before the time the information is gathered.
A business must have a valid reason why they are collecting personal information about its projects. A valid reason is for it to maintain normal business operations. Marketing agencies, for example, need to collect individual data so that they can maintain their business in market research.
3. Consent
In order for a business to collect personal information that is sensitive or poses a significant risk if leaked, you must receive consent from the individual before the data collection occurs.
A business can acquire consent from the individual by using transparent and plain language. Your business should have a way of clearly explaining the reason why you are collecting information, and it should be directly to the point with the individual of whom the data is.
A cookie banner is a good opt-in method that may give a message prompt and explain what its intent is to do with the sensitive data that is collected. The individual can choose to accept or decline consent at the prompt.
4. Limit Data Collection
Businesses under the PIPEDA must only collect the necessary data that is required for them to maintain themselves.
Collecting an abundance of personal and sensitive information can lead to bigger security concerns whenever there is a data breach. Only gathering what is absolutely necessary and in a fair and legal manner can help reduce the risks of uncertainty.
5. Limiting Use, Disclosure, and Retention
Under the PIPEDA, businesses must use or disclose personal information only for the intended purpose that the individual consents to.
Any other uses, disclosure or retention of personal data must acquire consent from the individual in order to proceed with its new purposes. Your business must make every effort to reach out to the individual to inform them of the new uses of their personal data.
In addition, businesses must not retain personal or sensitive information for long periods of time. Businesses are only expected to keep it until it is no longer necessary to keep.
6. Accuracy
Businesses are required to gather and use personal data that is accurate and up-to-date.
This can be achieved by acquiring consent from the data individual and by implementing measures to ensure that the data collected from them is up-to-date. These can come from regular data audits or by encouraging users to update their information on file.
7. Safeguards
The PIPEDA requires that all businesses implement security safeguards to data in order to prevent unauthorized access, retrieval or edits to personal data.
Some examples of safeguards businesses can utilize are our encryption methods, authenticator apps, and secure transmissions. Businesses are also heavily encouraged to practice data minimizing (reducing the amount of data on file) to reduce collateral damage during the events of a data breach.
8. Openness
The PIPEDA expects businesses to be open and fully transparent about their policies and practices regarding their management of the personal information of their data subjects.
In order to follow PIPEDA compliance, your business should be respectful to answer questions from the data subject if they want to know how their data is being handled. Your business should always be prepared to answer those types of questions and have employees ready to handle data subject concerns.
9. Individual Access
Under the PIPEDA, all data subjects have the right to request commercial businesses to access their personal data that has been collected on file.
Your business should have the resources and the right employees trained to be ready to handle individual data success requests. The data subject has the right to ask what information is on file and can be given access at any time upon request, so having the right skills and methods in place to address these data subject concerns must be evaluated.
10. Challenging Compliance
The PIPEDA gives all its citizens the right to change any commercial business regarding their corporate compliance as long as it falls under the principles of the PIPEDA.
What that means for businesses is that they should be equipped and ready to handle any of the previous PIPEDA principles mentioned. For every principle mentioned, there must be a policy and procedure in place to handle it.
Steps to Comply with PIPEDA
PIPEDA compliance requires businesses to set policies that reflect what is required to match the data protection regulations. Below are some steps for you to follow to ensure that your business is compliant with the PIPEDA standards.
Create a Transparent Privacy Policy
Transparency is one of the most important things you can get right early on in your business. Not only does it help you follow PIPEDA compliance, but it can help your customer data clients feel more open to doing business with you.
Developing a transparent privacy plan will require you and your employees to keep up-to-date on the PIPEDA regulations. Once those are all well known, then you can proceed to build policies around the PIPEDA principles.
Some tips would be to always include clear and concise language in the policy, as well as clear information on the purpose for collecting and processing information, how the data subject can exercise their rights, contact details, and safeguards of the data.
Try also to limit how much is collected. Only gather what is needed from the data subjects.
Respond to DSARs
Whenever your business receives a DSAR (Data Subject Access Request), it should be taken seriously and responded to as soon as possible.
The data protection laws of the PIPEDA allow for its citizens to request access to their information as well as to challenge businesses to exercise their rights to retrieve their data (refer back to principles 9 and 10.)
Having policies, as well as staff like a data protection officer who is trained to handle these issues is highly recommended if you want to be compliant with performing a DSAR.
Obtain Consent When Necessary
Opt-in (explicit) consent is required with sensitive data. Opt-out consent is required for all other data. There are some exemptions in which businesses do not have to give consent when collecting personal data.
These exemptions fall under the category of journalistic, artistic, or literary purposes. Data collecting is also exempt from instances where national security is a concern or when information is gathered for an employment application.
Despite these exemptions, that does not mean a business can be careless with the collection of data. Businesses will still be held responsible if they use data outside of their intended purposes and also collect sensitive information (medical, social security, addresses, etc.).
In instances where your business falls under these categories, you may feel less of the need to acquire consent. Even if consent isn't required for every situation, it is best to ask for it to help mitigate the risk.
Setup Security Safeguards
Security safeguards are very important when handling DSARs and to mitigate the risks of a data breach.
Any business that works with personal information needs to be responsible and add security protocols to protect that data. The PIPEDA expects businesses to have them in place.
PIPEDA requires that a business hires a DPO if the business manages a lot of personal data or sensitive data. The DPO will greatly help implement policies that align with PIPDA compliance standards. Once you find the ideal candidate, follow their advice on how to create procedures that will make your business compliant.
Notify Breach of Data
Whenever a data breach occurs, the business is expected to report it to the OAIC and make an announcement regarding what has happened to inform affected consumers if the breach has the potential to result in significant harm to consumers.
The announcement of a data breach should be made as soon as possible. Waiting too long can be viewed as being irresponsible and could even lead to lawsuits or major penalties from the PIPEDA.
Your business uses clear and considerate language when making the announcement. It should also provide steps on what to do next. Whether it's resetting passwords or offering them another service for social security monitoring, it entirely depends on what was leaked and the severity of it.
Remember, the most important thing is to be transparent and to communicate well with your data subjects on the matter.
Closing
The PIPEDA is one of the world’s toughest laws to comply with. Regulations like these, however, are necessary in order to build trust among consumers and prevent huge fines from ever happening.
It all works by having a team of data experts on your side. Here at Captain Compliance, we have professionals who know all the policies and regulations that the PIPEDA has.
If your business could use a team to help implement policies that align with the PIPEDA, consider outsourcing your compliance to us!
Get in touch with an expert today at Captain Compliance to learn more about PIPEDA and how we can help you.
FAQ
How does PIPEDA address the transfer of personal information across borders?
The PIPEDA requires numerous safeguards from the business as well as contract agreements from the business across the border to ensure that the handling and processing of data is managed according to its intended purpose.
Learn more about implementing safeguards from our detailed article here.
What are the consequences of non-compliance with PIPEDA?
Failing to be compliant with the PIEDA can be very costly to your business. A typical fine can be upwards of $100,000 CAD per violation.
Learn more about fines for being non-compliant and how they can decimate your business here.
How does PIPEDA address the use of personal information for marketing purposes?
Marketing purposes require the business to ask its data subjects for consent explicitely if the data is sensitive. Consent can easily be acquired by implementing opt-in and opt-out mechanisms, such as cookie banners. Businesses must only collect what is necessary for their intended purposes. If the data is not sensitive, a business may use opt-out consent.
Read more about cookie consent and how to implement it.
What is the role of the Privacy Commissioner of Canada in enforcing PIPEDA?
The privacy commissioner of the PIPEDA is responsible for enforcing the regulations that govern data protection regulations. The privacy commissioner reports his/her findings and investigations whenever there are public complaints about a compliance breach within an organization.