Canada's Electronic Privacy Legislation: PIPEDA

Canada’s electronic privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA), has been in force for over a decade. You likely know what PIPEDA is and how it affects your business. This article provides a brief review of the basics, in light of recent amendments. Stay tuned for a PIPEDA Update for more detail on the same.

Overview

PIPEDA strives to balance the privacy rights of individuals with an organization’s need to obtain personal information. It sets ground rules for how organizations collect, use and disclose personal information in the course of commercial activity.

Generally speaking, an organization is only permitted to collect, use or disclose personal information:

  1. For purposes that a reasonable person would consider appropriate in the circumstances; and
  2. With the knowledge and consent of the individual to whom the information relates.

The few exceptions to this general rule are carved out in the statute itself. You can find PIPEDA, in its entirety, here: http://laws-lois.justice.gc.ca/eng/acts/P-8.6/index.html

Application

PIPEDA applies to private sector organizations across Canada. It also applies to federal works, undertakings and businesses with respect to the collection, use and disclosure of employee or prospective employee information. Notably, PIPEDA does not apply to the collection, use and disclosure of employee information for private business at this time. That said, we always recommend that employers apply PIPEDA best practices to their collection, use and disclosure of employee information.

So what constitutes “personal information” and “commercial activity”? Personal information is “information about an identifiable individual” and is subject to broad interpretation. “Any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists” is a commercial activity.

Specific Principles

PIPEDA divides the general rule into ten, discrete principles that organizations must adhere to. The principles are, as follows:

1.      Accountability:

An organization is responsible for personal information under its control and must designate an individual or group of individuals to be accountable for the organization’s compliance.

2.      Identifying Purposes:

The purposes for which personal information is collected must be identified by the organization at or before the time the information is collected.

3.      Consent:

An organization must secure the knowledge and consent of the individual to which information relates prior to collecting, using or disclosing that individual’s personal information, except where a statutory exception applies.

4.      Limiting Collection:

The collection of personal information must be limited to that which is necessary. An organization must collect personal information through fair and lawful means.

5.      Limiting Use, Disclosure & Retention:

An organization must not use or disclose personal information for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information must be retained only for the time period necessary to fulfill those purposes.

6.      Accuracy:

The personal information that an organization collects, uses or discloses must be as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used.

7.      Safeguards:

An organization must protect personal information by implementing security safeguards appropriate to the sensitivity of such information.

8.      Openness:

An organization must make specific information about its policies and practices relating to the management of personal information readily available to individuals.

9.      Individual Access:

Upon request, an individual must be informed of the existence, use and disclosure of his/her personal information and must be given access to that information. An individual must be able to challenge the accuracy and completeness of the information and is entitled to have it amended, where appropriate.

10.   Challenging Compliance:

An individual must be able to challenge an organization’s compliance with the above-noted principles.

How Momentum Can Help

We are privacy law experts. We can help your organization ensure that its practices are consistent with PIPEDA and CASL. Contact us today if you have any questions about Canadian privacy law.