The Personal Information Protection and Electronic Documents Act (PIPEDA) is a privacy law that protects the personal information of Canadians. PIPEDA achieves this goal by stipulating certain requirements organizations subject to the law must follow. PIPEDA also imposes heavy penalties on those that fail to comply with its requirements. If your organization collects Personally Identifiable Information of Canadian residents, then you must respect the privacy rights the law carves out for Canadians, as well as have a PIPEDA compliant Privacy Policy. PIPEDA’s fair information principles form the ground rules for the collection, use, and disclosure of personal information under this law. In this article, we will examine the second fair information principle called “identifying purposes.”
Organizations must be ready to explain to customers what kinds of personal information they are collecting and why. This needs to occur ideally before the organization collects this information, or at the time of collection. If you are unsure how to define your purposes, think about what a reasonable person would consider appropriate under similar circumstances. Organizations must keep a record of all identified purposes and the consent obtained from individuals. The more narrow and specific an organization is with regard to defining their purposes for collecting personal information, the more easily individuals will be able to understand how their information is being used. Some examples of specific purposes include:
- Opening an account;
- Verifying an individual’s creditworthiness;
- Providing benefits to employees;
- Processing a magazine subscription;
- Sending out association membership information;
- Guaranteeing a travel reservation;
- Identifying customer preferences; and
- Establishing customers eligibility for special offers or discounts.
The identifying purposes principle forces organizations to identify the purposes for which personal information is collected. Because an organization’s Privacy Policy should articulate its commitment to the ten privacy principles of PIPEDA, the Privacy Policy must identify the purpose for which personal information is collected as well. This principle, when followed by organizations, also helps organizations remain compliant with the limiting collection principle under PIPEDA, which requires an organization to collect only that information necessary for the purposes that have been identified. And, when personal information that has been collected will be used for a purpose not previously identified, the organization must obtain the consent of the individual before that information can be used for that secondary purpose. This further exemplifies the importance of another fair information principle: consent. Consent will only be considered valid when it is reasonable to expect that individuals can understand the nature and purpose of the collection. Your organizations’ Privacy Policy and consent statements should not use blanket categories for purposes, but rather, use clear and straightforward language to ensure individuals are able to provide express consent.
The identifying purposes principle affirms PIPEDA’s overriding obligation that any collection, use, or disclosure of personal information must only be for purposes that a reasonable person would consider appropriate in the circumstances. If your organization is subject to PIPEDA it is imperative that you develop, document, and implement policies and procedures to protect personal information and narrowly define the purpose of its collection, obtain consent, and limit the collection, use, and disclosure of that information for its specific purpose.
If PIPEDA applies to you, then you need to ensure that you are following the identifying purpose principle, along with the other nine PIPEDA principles, or you could face fines for non-compliance. Use Termageddon’s Privacy Policy generator to help you create a PIPEDA ready Privacy Policy and avoid privacy-related fines and lawsuits.
