Published:

Updated:

PIPEDA Fair Information Principles: identifying purposes

Privacy Policy

Canada, PIPEDA

PIPEDA Fair Information Principles: Identifying Purposes

The Personal Information Protection and Electronic Documents Act (PIPEDA) is a privacy law that protects the personal information of Canadians. PIPEDA achieves this goal by stipulating certain requirements that organizations subject to the law must follow. PIPEDA also imposes heavy penalties on those that fail to comply with its requirements. If your organization collects Personally Identifiable Information of Canadian residents, then you must respect the privacy rights the law carves out for Canadians, as well as have a PIPEDA compliant Privacy Policy. PIPEDA’s fair information principles form the ground rules for the collection, use, and disclosure of personal information under this law. In this article, we will examine the second fair information principle called “identifying purposes.” 

Organizations must be ready to explain to customers what kinds of personal information they are collecting and why. This needs to occur ideally before the organization collects this information, or at the time of collection. If you are unsure how to define your purposes, think about what a reasonable person would consider appropriate under similar circumstances. Organizations must keep a record of all identified purposes and the consent obtained from individuals. The more narrow and specific an organization is with regard to defining their purposes for collecting personal information, the more easily individuals will be able to understand how their information is being used. Some examples of specific purposes include: 

  • Opening an account;
  • Verifying an individual’s creditworthiness;
  • Providing benefits to employees;
  • Processing a magazine subscription;
  • Sending out association membership information;
  • Guaranteeing a travel reservation;
  • Identifying customer preferences; and 
  • Establishing customers eligibility for special offers or discounts. 

The identifying purposes principle forces organizations to identify the purposes for which personal information is collected. Because an organization’s Privacy Policy should articulate its commitment to the ten privacy principles of PIPEDA, the Privacy Policy must identify the purpose for which personal information is collected as well. This principle, when followed by organizations, also helps organizations remain compliant with the limiting collection principle under PIPEDA, which requires an organization to collect only that information necessary for the purposes that have been identified. And, when personal information that has been collected will be used for a purpose not previously identified, the organization must obtain the consent of the individual before that information can be used for that secondary purpose. This further exemplifies the importance of another fair information principle: consent. Consent will only be considered valid when it is reasonable to expect that individuals can understand the nature and purpose of the collection. Your organizations’ Privacy Policy and consent statements should not use blanket categories for purposes, but rather, use clear and straightforward language to ensure individuals are able to provide express consent. 

The identifying purposes principle affirms PIPEDA’s overriding obligation that any collection, use or disclosure of personal information must only be for purposes that a reasonable person would consider appropriate in the circumstances. If your organization is subject to PIPEDA it is imperative that you develop, document and implement policies and procedures to protect personal information and narrowly define the purpose of its collection, obtain consent, and limit the collection, use, and disclosure of that information for its specific purpose. 

If PIPEDA applies to you, then you need to ensure that you are following the identifying purpose principle, along with the other nine PIPEDA principles, or you could face fines for non-compliance. Use Termageddon’s Privacy Policy generator to help you create a PIPEDA ready Privacy Policy and avoid privacy-related fines and lawsuits.

Photo of author
About the Author
Skylar Young

I am a third year at UIC John Marshall law school in Chicago. After my first year of law school I spent the summer clerking for Vandenack Weaver LLC in Omaha, NE and during my second year of law school I worked for Chicago Daily Law Bulletin as a content specialist.  I am passionate about privacy and cybersecurity law and serve as the liaison for the Chicago Bar Association's Cyber Law and Data Privacy Committee.

Search the Site
Popular Articles
Browse by Category

Comparing Policy Generators

Cookie Consent Banner

Cookie Policy

Culture

Disclaimer

EULA

How To's

Privacy Policy

Terms of Service

Subscribe for Updates