Knowledge - 09 December 2021 | By TermsHub

Updated at: 10 December 2021

PIPEDA: Personal Information Protection and Electronic Documents Act

PIPEDA: Personal Information Protection and Electronic Documents Act

The Personal Information Protection & Electronic Documents Act, more commonly known as PIPEDA, is a main federal law in Canada that presents the seclusion of any private sectors within the Canadian borders. 

An Introduction to PIPEDA

PIPEDA came into effect in April 2000 to govern the credibility and safety of information use on the internet community as regards the industries of banking, health, and broadcasting, to name a few. The data privacy law enacted in Canada is incorporated by the state as well as the private and public sector of both federal and provincial data security, “information about an identifiable individual

Any organization covered by the PIPEDA must acquire the person’s consent to collect personal information, especially when the company will disclose the information from their employers and/or customers in the course of commercial activity.

Although organizations have their privacy policies, the importance of PIPEDA is that it makes sure that the policies made by these companies are strictly followed. In addition, it allows companies to keep up with the Ten (10) Information Principles of PIPEDA legislation:

  1. Accountability – This principle makes sure that the entities are the ones who are responsible and should be taken into account for the personal information they hold.
  2. Identifying Purposes – Organizations covered by PIPEDA must state their purpose for the data collected to their customers and/or employees.
  3. Consent – The firms are required to ask for consent for the disclosure and any use of the information collected.
  4. Limiting Collection – Private sector covered must only collect the required and important details of an individual for the purpose.
  5. Limiting Use, Disclosure, and Retention – Organizations ought not to store an individual’s information if they are done using it purposely. They also are obliged to use or reveal personal details ONLY IF the individual has allowed the organization. 
  6. Accuracy – Information collected must stay accurate, genuine, and updated as much as possible.
  7. Safeguards – Every organization’s data should be kept within safety measures to protect its customers’ identities. Ensure that the data collected is only viewed by authorization within a certain organization and that their information is far from being stolen.
  8. Openness – This principle requires organizations to inform the individual about the use of their data. It ensures that the private sector is following the privacy policy of their company. Through this principle, a business must obtain the following: 
  • Contact information of the organization/company
  • Full details about the right of access
  • Classifications of information needed
  • How the personal information will be used
  • Soft or hardcopy of company policies that must be disclosed to an individual
  1. Individual Access – Employees and customers have the right to access their information. If the individual argues that the data written about them proves to be incorrect, they have the right to correct otherwise.
  2. Challenge Compliance – The tenth (10th) principle means that the firm should have methods to respond to inquiries and/or complaints quickly.

Importance of PIPEDA

According to this law (PIPEDA), the personal information of a person invokes the details of an individual with the use of the name, age, ethnic background, telephone number, work address of the employer. Because of PIPEDA, the person has the benefit of having their rights such as: 

(1) knowing why the organization uses and collects personal information, 

(2) assure that the data encoded were complete, true, and can be updated by the person who owns the information, 

(3) file a complaint if their personal information isn’t safe or is being used in vile circumstances, 

(4) have easy access to their data and have the right to correct or edit it if necessary. PIPEDA law ensures that personal information shall not be misused or disclosed by the individuals’ rights stated above, which may put the employee and/or customer at risk.

PIPEDA considers the following information:

  • Name, age, financial standing
  • Race, national, or ethnic origin
  • Marital status
  • Blood type
  • Medical, education, or employment history
  • Valid identification numbers
  • Opinions about a certain thing and social status
  • Different kinds of records

You must take note that the information a company can ask does not need to identify a person specifically. Instead, it must only be about an individual and shall be written in a general form of a questionnaire.

Personal Information Being Considered by PIPEDA:

The Personal Information Protection & Electronic Documents Act or PIPEDA considers all private sectors within the state of Canada of any organization and individuals engaged in commercial activities and practically any government-funded organizations. This Act also applies to international business transactions created by an organization inside the range of the Canadian state.  

PIPEDA defines commercial activity as means of any particular act, transaction, or conduct on any regular course of conduct that is of a commercial character. There are a handful of requirements to fulfill the Personal Information Protection & Electronic Documents Act (PIPEDA); private and public sectors must acquire the person’s consent whenever they use and/or disclose the person’s personal data. Furthermore, the personal information collected can only be used if the individual has a piece of great knowledge about the purpose for which their information was used. Protection for their data must be strictly protected.

The Canadian courts and the Office of the Privacy Commissioner or OPC have the authority to decide which organizations between the public and private sectors will fall under the PIPEDA. For instance, schools, and hospitals are covered by the said Act — not only that, but the non-profit organizations also under the PIPED Act, it just means that if these non-profit organizations might collect personal data, they will also need to fulfill the policies of the Act.

Places like Alberta, British Columbia, and the European Union also have their protection for electronic commerce privacy similar to PIPEDA. For instance, the European Union and its General Data Protection Regulation or GDPR is a regulation to secure the EU’s privacy protection that addresses the disclosure of the information inside and outside the union. GDPR’s goal is for individuals to be in control over their personal data for international and local business transactions. 

According to a quote from Stephanie P., who generated a Privacy Policy, she needed an up-to-date Privacy Policy for her website because she needed to comply with the GDPR coming into enactment. With the help of TermsFeed, a worldwide legal agreement for website and apps generator, she figured out that it was worth it despite the cost it has made her, notwithstanding that her business is still a small entity. She thanked the said generator for making it much easier for her.

The privacy act does not only circulate in Canada. In recent years, there’s also an Act enacted as regards the data privacy laws and it includes California Consumer Privacy Act or CCPA, General Data Protection Regulation or GDPR from the European Union (EU), Brazil’s Lei Geral de Proteção de Dados Pessoais (LGPD), and the Notifiable Data Breach Scheme from Australia. 

Canadian Rights under PIPEDA

Canadian organizations are subject to different kinds of rights. Canadian individuals have a proper allocation for descriptive purposes if they file a complaint regarding the wrong information written about their data. To top it off, consent is also an essential feature PIPEDA has. It is an organization’s necessary thing to do for the individual’s collection and the disclosure of their information. In section 6.1 of the Act, it states that 

PIPEDA allows organizations to have a meaningful purpose that shall follow their aims to provide security for the customers. As an illustration, a person should have a proper understanding of why their personal information is being gathered, specially for disclosure. Furthermore, they must have a reasonable validity up to the extent of their purpose to be a responsible holder of an individual’s information.  

Canadians are already familiar with the Privacy Act. However, organizations based in Canada modify the use of employer and/or customer’s personal information only for nullified purposes such as business transactions and federal works. Furthermore, these entities still have the decision whether or not to be after the implied consent to ask for their employer or customer’s information. Proper consent means that it relies on the deliberation of both parties considering the awareness of the individual and the sensitivity of the information that is being asked for. It also must be “express” or “implied.” Consent must be disclosed if the entities use the personal information for something unnecessary and far from the individual’s knowledge about the contract’s condition. Businesses shall not ask for sensitive information from their clients and employees.

Although age is a crucial part of any contract or agreement, PIPEDA also grants consent for any age of different social status. The state of Canada considers a person with no limit of minimum age. For PIPEDA, everybody is entitled to consent.

The Digital Privacy Act of 2015 declared the significance of breach reports. Certain regulations must be followed. The first is that the entities, either public or private, shall keep track of the disaffection of the data’s terms and agreement, and the Commissioner of Privacy must fabricate it. Next, if the data breach may be a real threat to an individual, they must convey it to the person, and it shall be reported to the Privacy Commissioner for the breach to be taken into account.

Additionally, according to the jurisdiction of the Office of the Privacy Commissioner or OPC, a set of specifications used for industrial telecommunications, businesses coming from other countries yet residing in Canada that have a substantial connection to the country must also comply with the said Act. Therefore, if their website or electronic commerce are inherited inside the country and targets the Canadian people, they are obliged to follow the terms of PIPEDA written above and create a privacy policy that agrees with the terms of PIPEDA. 

Privacy Policy Requirements

Producing a Privacy Policy may be a bit tricky, but it isn’t that hard if you follow the requirements of PIPEDA. The Privacy Policy must include the Introduction wherein it describes the purpose of the site and why the information of an individual is being asked. The updated date of when you last updated your website’s Privacy Policy must also be indicated in the Introduction. You can also involve the principles of your company as regards the handling of the individual’s information.  

An Organization’s Contact Details must also be stated on the Privacy Policy. Based on PIPEDA, the company’s website must include the name and address of an authority who is accountable for the certain organization’s principles and who complains or has a question are highly encouraged. However, much larger entities must assign a person (e.g., Privacy Officer) whom they can task to check the subordination of the laws and regulations of PIPEDA.

The following are the guides to create your website’s Privacy Policy according to the Office of the Privacy Commissioner (OPC) and Personal Information Protection and Electronic Documents Act (PIPEDA):

  • Using exact words and documentation of what you are trying to imply. Avoid using too much jargon because you have to ensure that the person reading your Privacy Policy understands it fully.
  • Be specific. You must provide detailed outlines of your Privacy Policy together with its required sections.
  • Ensure that the Privacy Policy you are producing is easy to maneuver and has a distinct construction of words used.
  • Ensure that the Privacy Policy is updated for the reason that it reflects the practices inside your business, as well as how it grows and changes.
  • You must guarantee that the Privacy Policy of your website is handy and accessible. Display it on top of your site where people can easily notice and grant them a chance to read when collecting their personal information. 

Listed below are basic requirements to produce a Privacy Policy written on Section 4.8.2 of PIPEDA:

  1. The name/title, and also the address of the person who will be held responsible for the company’s policies and practices and to the complainant’s inquiries that can be taken into account;
  2. For circumstances that the individual could gain the right of entry to their own personal information adhered to by the firm;
  3. A short depiction of what type of personal information is being asked or held by a certain organization – and that includes the whole account of its use;
  4. A transcript of records of any documents or other information that demonstrates the company’s policies, standards, and codes;
  5. What kind of personal data has been made accessible to any other related organization (e.g., subsidiaries)

Do note that the basic Privacy Policy stated above related to the requirements of PIPEDA will not be part of the scope with the privacy laws outside the borders of Canada.

The rights under PIPEDA are less forceful and much more specific. PIPEDA Section 4.9 states: Upon requesting certain information, a person must be advised amidst the use of his/her personal data, and that individual must be given access to their data. Moreover, the person must be obliged to prove the accuracy and efficiency of their information.

In conclusion, private sectors residing in Canada must be able to follow PIPEDA’s rule strictly. For example, an organization must ask for explicit consent of an individual before collecting and/or using any of their personal data; provide the individual or a customer with a product/service even though they may not be able to provide you their personal information; ensure each individual that the information the company has collected is in a lawful manner and handled with great security; create a policy that relates to the collection and disclosure of a person’s personal information, the policy made must be specific and can be read by anyone.

What Happens if You Fail to comply?

Non-compliance to the policies of PIPEDA may cost you hundreds of dollars, depending on the penalties that the organization sets. In addition, organizations are at risk for fines if the data breach discovered has failed to advise the individual and also the Office of the Privacy Commissioner of Canada. A fine of up to CAD 100,000 per violation can be charged for an entity that refuses to fulfill PIPEDA’s proactive terms about an individual’s information security. 

In 2018, PIPEDA implemented that the reports of data breaches that may be a risk and harmful to an individual are mandatory. Because of that, companies are required to keep track of all the data breaches for about twenty-four (24) months upon the initial discovery of the said breach. Failure to subject the safety of an individual’s personal information will also cost them hefty penalties and might expose the business to sanctions and a bad reputation.

In line with the information of the penalties above, PIPEDA listed three (3) criminal offenses that a company may incur and could lead to court and criminal liability:

  • Destroying an individual’s information PURPOSELY
  • Any malicious behavior against customers and/or employees who take on PIPEDA
  • Hindering investigations after the grievance has been made.