The Personal Information Protection and Electronic Documents Act (PIPEDA) is a privacy law that protects the Personally Identifiable Information (PII) of Canadians. The law achieves this goal by prescribing how PII can be collected, used and disclosed via the ten PIPEDA Fair Information Principles. In this article, we will discuss the PIPEDA Fair Information Principle: Accountability and explain its requirements for websites and organizations that need to comply with PIPEDA.
What is the PIPEDA Fair Information Principle: Accountability?
The requirement to train your staff
A commitment to privacy made by management is only as good as the people executing it – your staff. Your staff will be the ones answering questions, using the PII that you collect, and responding to consumer requests to exercise their privacy rights. It is imperative that your staff receive adequate and frequent training on privacy and their responsibilities, that you are clear about the policies and procedures that they must follow, and that why have your support as your privacy program grows. To meet the requirements of the PIPEDA Fair Information Principle: Accountability, you must train your staff so that they can easily answer the following questions:
- How do I respond to public inquiries regarding the organization’s privacy practices and policies?
- What is valid and meaningful consent? When and how is it obtained?
- How do I recognize and process requests for access or amendments to personal information?
- To whom should I refer privacy-related complaints?
- What are the organization’s current or new initiatives relating to the protection of personal information?
It is imperative that you train all staff that have access to personal information or have contact with your current or potential customers.
PIPEDA Fair Information Principle: Accountability privacy program requirements
The next requirement of the PIPEDA accountability principle is to develop a comprehensive privacy management program. According to the Office of the Privacy Commissioner of Canada, you should start with creating a privacy impact assessment, which is a tool for identifying and assessing privacy risk throughout a particular program or system. The following checklist should help you begin such an assessment:
- What PII do we collect? Is it sensitive?
- Why do we collect it?
- How do we collect it?
- What do we use it for?
- Where do we keep it?
- How is it secured?
- Who has access to or uses it?
- Who do we share it with?
- When is it disposed of?
You must also develop and implement policies and procedures on how you collect, use, disclose, and protect the PII that you collect, including:
- How you obtain proper consent;
- How and when you will destroy the PII;
- How you will respond to consumer inquiries, requests to exercise their privacy rights, and complaints;
- How you will detect, investigate and respond to breaches of PII;
- How you will perform and implement risk assessments.
Lastly, as technology and associated risks change frequently, you should perform periodic assessments of your privacy program and conduct simulations and training.
Donata is the Co-founder and President of Termageddon, an auto-updating generator of website and application policies. She is a licensed attorney and Certified Information Privacy Professional. She also serves as the Vice-Chair of the American Bar Association’s ePrivacy Committee and the Chair of the Chicago Chapter of the International Association of Privacy Professionals. In her free time, Donata enjoys beekeeping, hunting for morel mushrooms, and walks with her husband and two dogs.