The Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal privacy law of Canada for private-sector organizations. It sets out the ground rules for how businesses must handle personal information in the course of their commercial activity.
Who is subject to PIPEDA Compliance?
Any private enterprise in Canada that collects personal information during the course of commercial activity is subject to PIPEDA regulation. PIPEDA or Personal Information Protection and Electronic Documents Act is a Canadian federal law that applies to business operating in private sector.
The personal information shared with the business should only be used for the purpose for which it was collected, and individuals have the right to access the information that businesses hold.
What is Personal Information?
Personal information is anything that can be used to clearly identify an individual. Personal information includes:
1. Name, age, date of birth, ID numbers
2. Blood type, ethnicity, DNA, and medical history
3. Income details, employee records, and employment details
4. Marital and social status
5. Disciplinary records
6. Loan and credit application details
“A principles-based, technology-neutral law, PIPEDA applies to a wide-range of commercial activity, and is overseen by an Agent of Parliament, the Office of the Privacy Commissioner of Canada.”
Ten Privacy principles of PIPEDA
The idea behind PIPEDA principles is that the personal information can be collected, used and distributed in responsible and reasonable manner.
- Accountability: A business must appoint someone who is responsible for compliance with PIPEDA rule. This person is generally the Chief Privacy Officer (CPO).
- Consent: A business can’t obtain or disclose personal information without consent. The person whose data business handles must consent in full knowledge to whatever you do with data.
- Limiting Collection: On the name of collecting data, business can’t collect anything more than what is really required from individual.
- Limiting Use, Disclosure and Retention: A business must use the information for a specific purpose, use or disclose the information with the consent of individual, and must not retain information longer than necessary.
- Accuracy: Businesses must make effort to ensure that information captured is accurate.
- Safeguards: Businesses must take all measures to ensure safety of information from cyber attacks, intrusions or violations.
- Openness: Individuals must be able to see why a business would need his information, whether his information is secure and are accessible to him. In the data protection policy it should be clear who should they reach out n case of query.
- Individual Access: Individual should be able to see what information is held by business, and if he wants to delete or change it businesses must comply.
- Challenging Compliance: Individuals have the right to complain CPO in case their information is mishandled.
What if there’s a data breach?
Sometimes no matter what precautions do an organization takes, data breach (unauthorized access or loss of individual information) happens. In such a case the organization must report it to the Privacy Commissioner of Canada. The failure to report can levy a fine up to $100,000. Organization is anyway at fault whether safeguard is in place or safeguard fails.