The PIPEDA – Personal Information Protection and Electronic Documents Act provides a variety of privacy rights to Canadians pursuant to protecting their personal information. Like the General Data Protection Regulation (“GDPR”), the PIPEDA emphasizes the need for organizations to effectively and clearly convey their personal information management practices to consumers. As such, Privacy Policies must be consistent with PIPEDA’s fair information principle for “openness,” allowing Canadians to be fully informed in making sound decisions regarding the collection and disclosure of their personal information.
This article will discuss the following two topics:
- PIPEDA fair information principle – openness; and
PIPEDA fair information principle – openness
The openness principle is guided by the logic that Canadians should not have to decipher “legalese” that the average individual cannot understand when attempting to make informed privacy decisions. Furthermore, the openness principle specifies two responsibilities for organizations to uphold pursuant to adequately informing consumers under the law:
- Inform your customers and employees that you have policies and practices for managing personal information; and
- These policies and practices must be easily understandable and easily available.
- A list of rights under the PIPEDA and how Canadians may exercise those rights;
- What personal information is collected by the organization;
- How the organization will use the personal information;
- Sources from which the organization has collected the personal information;
- How the organization protects the collected personal information;
- Transfers of personal information outside of Canada;
- The name or title, and the addresses, of the person accountable for the organization’s Privacy Policies. Complaints and inquiries should be forwarded to this individual; and
- A copy of any brochures or other information that explain the organization’s codes, policies, or standards.
The requirement that organizations make available the contact information of “the person accountable” for the privacy practices of the organization is a common requirement across different privacy laws. The GDPR stresses a similar “accountability” principle. The Office of the Privacy Commissioner of Canada has defined “accountability” as the “acceptance of responsibility for personal information protection.” The office has stressed that accountable organizations should have the ability to show “that they have an effective, up-to-date privacy management program in place in the event of a complaint investigation or audit.”
Compliant Privacy Policies under the PIPEDA must also explain what type of personal information is collected by the organization as well as an explanation as to how the personal information will be used. The law defines “personal information” as “information about an identifiable individual.” The Office of the Privacy Commissioner has listed the following examples of personal information:
- IP Addresses
- Employee files
- Medical records
- Cookie data