The PIPEDA – Personal Information Protection and Electronic Documents Act provides a variety of privacy rights to Canadians pursuant to protecting their personal information. Like the General Data Protection Regulation (“GDPR”), the PIPEDA emphasizes the need for organizations to effectively and clearly convey their personal information management practices to consumers. As such, Privacy Policies must be consistent with PIPEDA’s fair information principle for “openness,” allowing Canadians to be fully informed in making sound decisions regarding the collection and disclosure of their personal information.
This article will discuss the following two topics:
- PIPEDA fair information principle – openness; and
- PIPEDA Privacy Policy requirements.
PIPEDA fair information principle – openness
Pursuant to implementing a compliant PIPEDA Privacy Policy, organizations must be guided by the law’s openness principle. Generally, this principle requires personal information management practices to be both clear and understandable. Moreover, these practices must be readily available to Canadians.
The openness principle is guided by the logic that Canadians should not have to decipher “legalese” that the average individual cannot understand when attempting to make informed privacy decisions. Furthermore, the openness principle specifies two responsibilities for organizations to uphold pursuant to adequately informing consumers under the law:
- Inform your customers and employees that you have policies and practices for managing personal information; and
- These policies and practices must be easily understandable and easily available.
Applying the openness principle to the crafting of your organization’s Privacy Policy, the information contained within must generally be clear, understandable, and readily available to Canadians reading the Privacy Policy. In short, Canadians must be sufficiently informed so as to make sound decisions regarding their online privacy.
From a practical standpoint, your organization’s Privacy Policy is a chance to establish new lines of communication with customers. These lines of communication are essential to establishing a sense of trust between both the organization and the customer. In short, you have a chance to prove to customers that your organization is serious about protecting their personal information.
PIPEDA Privacy Policy requirements
The PIPEDA specifies that the following disclosures must be made within your organization’s Privacy Policy:
- A list of rights under the PIPEDA and how Canadians may exercise those rights;
- What personal information is collected by the organization;
- How the organization will use the personal information;
- Sources from which the organization has collected the personal information;
- Whether or not the organization shares the personal information. If this takes place, the Privacy Policy must disclose what categories of third parties receive the personal information and the purpose of the sharing;
- How the organization protects the collected personal information;
- Transfers of personal information outside of Canada;
- The name or title, and the addresses, of the person accountable for the organization’s Privacy Policies. Complaints and inquiries should be forwarded to this individual; and
- A copy of any brochures or other information that explain the organization’s codes, policies, or standards.
Failing to incorporate any of these components into the organization’s Privacy Policy could result in complaints by consumers or fines.
The requirement that organizations make available the contact information of “the person accountable” for the privacy practices of the organization is a common requirement across different privacy laws. The GDPR stresses a similar “accountability” principle. The Office of the Privacy Commissioner of Canada has defined “accountability” as the “acceptance of responsibility for personal information protection.” The office has stressed that accountable organizations should have the ability to show “that they have an effective, up-to-date privacy management program in place in the event of a complaint investigation or audit.”
As such, compliant PIPEDA Privacy Policies serve as points of contact between the organization and those conducting investigations or audits. The Privacy Policies must therefore accurately disclose who in your organization is: 1) designated as the accountable individual responsible for the organization’s Privacy Policy; and 2) possesses a fundamental understanding of the organization’s privacy program in general so as to effectively respond to potential inquiries from law enforcement entities. These individuals may include privacy officers, compliance officers, or in-house counsel.
The PIPEDA also requires compliant Privacy Policies to provide ways for Canadians to access the personal information held by the organization. “Access” is another fair information principle found within the PIPEDA. In addition to providing access to the individual’s personal information, organizations must allow individuals to challenge the accuracy and completeness of the information. As such, the Privacy Policy must provide individuals with the means to issue requests. This may include instructing individuals to supply the organization with the necessary information to locate the personal information being requested.
Compliant Privacy Policies under the PIPEDA must also explain what type of personal information is collected by the organization as well as an explanation as to how the personal information will be used. The law defines “personal information” as “information about an identifiable individual.” The Office of the Privacy Commissioner has listed the following examples of personal information:
- Ages
- Names
- Emails
- Phone numbers
- IP Addresses
- Employee files
- Medical records
- Cookie data
As a whole, a compliant PIPEDA Privacy Policy must reflect the fair information principles as specified by the law, including the principles of accountability and access. These principles allow individuals to make informed privacy decisions while also providing organizations with the opportunity to establish transparent and trusting relationships with customers. In order to help your online Privacy Policy to meet the requirements of PIPEDA and other privacy laws, consider using Termageddon’s Privacy Policy Generator to update your organization’s Privacy Policy and avoid fines and lawsuits in the process.
