The Personal Information Protection and Electronic Documents Act (PIPEDA) is a privacy law that protects the personal information of Canadians. PIPEDA achieves this goal by requiring certain websites to have a Privacy Policy, by providing Canadians with privacy rights, and by imposing heavy penalties on those that fail to comply with its requirements. This law also introduces the PIPEDA fair information principles, which form the ground rules for the collection, use, and disclosure of personal information under this law. In this article, we will discuss the ten PIPEDA fair information principles and what requirements they place on websites.
PIPEDA applies to private companies across Canada that collect, use or disclose personal information in the course of a commercial activity. In this case, commercial activity means any transaction, act, or conduct, or any regular course of conduct that is of a commercial character. PIPEDA also applies to all businesses that operate in Canada and handle personal information that crosses provincial or national borders, regardless of the territory in which the business is actually based.
Table of Contents
Accountability
The first principle is accountability, which states that you are responsible for the personal information under your control. This principle also requires you to appoint someone that is responsible for your organization’s privacy law compliance. You must disclose that person’s name, title, and contact information in your Privacy Policy so that consumers may easily reach them with any questions or concerns.
The responsibilities of the accountability principle can be fulfilled by developing a privacy management program which would aid you in performing the following tasks:
- Designate a privacy official;
- Conduct a privacy impact assessment and threat analysis;
- Understand what personal information you collect, why you collect it, how you use it, how you secure it, who has access to it and more;
- Develop, document, and implement policies and procedures to protect the personal information; and
- Perform regular reviews of your program and address any gaps.
Remember that the person accountable for your privacy program must have the support of senior management in your company and that you need to communicate the position and responsibilities of this person both internally and externally.
Identifying purposes
The second PIPEDA fair information principle is identifying purposes, which requires you to state the purposes for which you are collecting personal information before or at the time of the collection. These purposes should be identified in your Privacy Policy. It is important to clearly and completely state all of the purposes for which you will be using the personal information at the start as you will need to obtain consent again if you identify a new purpose for which you’d like to use the personal information. Note that you cannot use the personal information collected for any unlisted purposes without consumer consent.
You should ensure that the purposes that you identify in your Privacy Policy are clear and specific. Avoid overly broad statements. The following are a few examples of sufficiently specific purposes:
- Opening an account;
- Identifying customer preferences;
- Processing a magazine subscription; or
- Verifying an individual’s creditworthiness.
Consent
The third PIPEDA fair information principle is consent, meaning that the knowledge and consent of the individual are required for the collection, use and sharing of their personal information, except where inappropriate. For consent to be valid, the person providing such consent must understand what they are agreeing to, which is why PIPEDA has stringent requirements on what a Privacy Policy must disclose. Amongst other things, you should inform visitors to your website of the following:
- What personal information is being collected;
- With whom that personal information is being shared;
- For what purposes is the personal information being collected, used or disclosed; and
- What are the risks of harm or other consequences.
Your disclosures should have sufficient details so that the person reading them can meaningfully understand what they are consenting to. This means that a statement such as “we share your information with third parties” is insufficient, while a statement such as “we share your billing information with a third party payment processor to process payments” would provide significantly more context to the individual about the use of their personal information.
Limiting collection
The fourth principle imposed by PIPEDA is limiting collection, which means that the collection of personal information must be limited to that which is needed for the purposes that you have identified. To meet the requirements of this principle, you should identify what personal information you collect and ensure that you are collecting only what you need. Do not mislead or deceive consumers about why you need to collect their personal information and do not collect personal without a clear and necessary purpose for it or “just in case.”
Limiting use, disclosure, and retention
The fifth PIPEDA fair information principle is limiting use, disclosure, and retention, which specifies that personal information can only be used or disclosed for the purposes for which it was collected. This principle also requires personal information to be kept only as long as required to serve those purposes. You should document all of the purposes for which you use the personal information, institute and follow a records retention and destruction policies and procedures, practice proper data disposal methods, and train your staff on their responsibilities in protecting personal information.
Accuracy
The accuracy principle requires personal information to be as accurate, complete, and up-to-date as possible to properly satisfy the purposes for which it is to be used. Under this principle, you have the responsibility to minimize the possibility of using incorrect information as such uses could have a negative impact on the consumer. You also have the responsibility to establish policies on what types of information needs to be updated and to respect requests from individuals to exercise their right to amend their personal information.
Safeguards
The seventh PIPEDA fair information principle is safeguards, which requires personal information to be protected by appropriate security measures relative to the sensitivity of the information. This principle requires you to protect all of the personal information that you collect against loss, theft, or any unauthorized access, disclosure, copying, use or modification. While PIPEDA does not state the specific measures that must be taken, you should consider physical measures, up-to-date technological tools and organizational contorls.
When deciding on the proper safeguards to use, think of the following considerations:
- The sensitivity of the information and the risk of harm to the individual;
- The amount of information;
- The extent of distribution;
- The format in which the information is kept;
- The type of storage; and
- The types and levels of potential risks that you face.
Openness
The openness principle requires you to make detailed information about your privacy policies and practices relating to the management of personal information publicly and readily available. This principle requires organizations to have a Privacy Policy that makes very specific disclosures. For more information on these disclosures, read our PIPEDA Compliance Guide.
Individual access
The ninth PIPEDA fair information principle is individual access, which requires that upon request, an individual is informed of the existence, use and disclosure of their personal information. You must respond to the request for access or amendments to personal information as quickly as possible, but no later than 30 days after receiving it, with some exceptions. You must also provide access at minimal or no cost to the individual and notify them of any costs prior to processing their request.
Challenging compliance
The final principle is challenging compliance, which provides that an individual shall be able to challenge an organization’s compliance with the above PIPEDA fair information principles. You should develop complaint handling and investigation procedures and tell visitors to your website about those procedures. You must also provide information on how individuals can complain to the Office of the Privacy Commissioner of Canada.
The ten PIPEDA fair information principles establish the rules for the collection, use, and disclosure of the personal information of Canadians. If PIPEDA applies to you, then you need to ensure that you are following these principles or you could face fines for non-compliance. Use Termageddon’s Privacy Policy generator to help create your PIPEDA ready Privacy Policy. Wondering about what other privacy requirements apply to your website? Read our article on what laws require websites to have a Privacy Policy.