PIPEDA Fair Information Principles: Limiting Collection

In an effort to give individuals control over how their information is handled by private organizations, many countries that have enacted comprehensive privacy laws that include a collection limitation principle. In this article, we will look at how Canada’s privacy law, The Personal Information Protection and Electronic Documents Act (PIPEDA), limits the collection of personal information. PIPEDA consists of ten privacy principles that undergird the rules for the collection, use, and disclosure of personal information. Specifically, the privacy principle number four establishes the responsibilities and limits an organization has when collecting personal information from individuals.  If PIPEDA applies to your organization, this article will help you understand your responsibilities when collecting personal information. 

Under PIPEDA, organizations have three main responsibilities pursuant to the information collection principle.  First, PIPEDA establishes a purpose limitation, meaning that organizations can only collect personal information for which they need to fulfill a legitimate and defined purpose. Second, the organization must be transparent and honest about the specific reasons for which they are collecting personal information. And third, organizations must collect personal information fairly and lawfully. To effectuate these responsibilities, your organization must identify the types of personal information you intend to collect and then explain that in your privacy policy. You must limit the amount and type of information you collect to that narrow purpose for which it is needed. If an individual provides personal information to your organization that it does not need, your organization must dispose of it in a safe and secure manner, and not maintain it. It is also important that as an organization you train your staff to understand why your organization needs the specific information it is collecting. Ensuring your organization limits its collection of personal information to a defined purpose also reduces the risk of loss or inappropriate access, use, or disclosure of individuals’ personal information. 

How to remain compliant with limiting collection when your organization adopts identification and authentication processes 

While identification and authentication have different definitions, an organization might have both identification and authentication processes and thus each process must be appropriately designed. That is to say, your organization must strike the balance between collecting enough information about an individual to authorize a transaction, without collecting, using, or retaining information that is not necessary for that purpose. 

Identification allows an organization to ascertain an individual’s identity by certain characteristics including, for example, their name, birthday, or address. These are known as identity attributes. Identification ensures that an organization can remember a specific individual. Authentication is different. Authentication occurs when an individual presents themselves to an organization, or their website, and claims to be a customer with whom the business has a relationship. It is the responsibility of the business to authenticate that claim. A common way for an organization to have an individual authenticate their identity is a password.

 PIPEDA accounts for the fact that there is no single approach to identification and authentication. However, the Office of the Privacy Commissioner of Canada overseeing implementation of PIPEDA recommends that organizations only identify when necessary. Organizations need to decide if identification is necessary to complete a transaction with an individual. If the transaction can be authorized in a way that ensures the same quality of security without collecting any personal information, then the organization should not identify an individual, unless there is a legal requirement to do so. If an organization does need to identify individuals to authorize a transaction, then they must do so using the least amount of information required. For example, the Office of the Privacy Commissioner of Canada caution’s organizations from using individuals’ driver’s license number or social insurance number as identifiers. After numerous complaints by Canadians to provincial Privacy Commissioners regarding organizations collecting and recording their drivers license numbers, the federal and provincial Privacy Commissioners have taken the stance that examining an individual’s identification card, without recording its contents is sufficient. The rationale behind this best practice goes back to the principle that organizations should collect the least amount of personal information possible to satisfy a legitimate business activity. And, because organizations have a duty under PIPEDA to protect the personal information they collect, organizations could subject themselves to litigation if they don’t protect that personal information. 

Similarly, an individual should only be authenticated by an organization when it is necessary for the purpose of the transaction. If an individual does need to be authenticated, personal information should only be disclosed to that person once the organization is assured that the individual is who they say they are. Organizations should maintain reliable audit records of the authentication process including the date, time, and the outcome. The audit records, however, should not include the authentication information itself. 

The intersection between the collection limitation principle, openness, and consent

In addition to the limiting collection principle specifying that collection of personal information must be narrowed to that which it is needed for, the limiting collection principle also establishes that information must be collected by fair and lawful means. Irrespective of the format organizations use to collect personal information, all organizations must identify the purpose for doing so, and obtain consent from the individual. First, this requires organizations to properly train their employees so they know how to explain to individual’s the purpose behind the type of information that is being collected from them. This intersects with the privacy principle of openness under PIPEDA. In addition to being open and transparent, an organization must obtain proper consent. The policy rationale behind obtaining consent is to reduce the likelihood of organization’s using deception or ambiguity when construing the purpose for which personal information is collected. An individual’s consent must be meaningful which will necessitate the organization to be clear in communicating the specific type of information that they will collect from an individual. Thus, it becomes clear that by potentially violating the collection limitation principle, an organization could also violate other privacy principles including openness and consent under PIPEDA. 

Failure to comply with PIPEDA can lead to fines of up to $100,000 for each violation. Due to the interconnectedness of the privacy principles, an organization that is not compliant with the limitation collection principle will likely be in breach of another privacy principle. This means that fines against an organization could stack up. It is crucial that your organization craft a privacy policy that explicitly states the information you intend to collect and why it is necessary to fulfill the purposes identified to the individual. Use Termageddon’s Privacy Policy generator to help you create a PIPEDA ready Privacy Policy and avoid privacy-related fines and lawsuits.