PIPEDA stands for Personal Information Protection and Electronic Documents Act. It is a federal privacy law which applies to private sector organizations in Canada who collect, use or disclose personal information for commercial activity.

PIPEDA law regulates how businesses collect, use and disclose personal information from their customers for use in a commercial activity. But what constitutes a commercial activity?

The law defines commercial activities as "means an activity that promotes, creates, or exchanges commercial products or services. Commercial activities include, but are not limited to, advertising, fund-raising, buying or selling any product or service, encouraging paid membership in any group, association or organization, or the marketing of commercial activities. Commercial activities do not include such activities by or for government entities."

What is personal information?

Personal information is any factual information that relates to an identifiable individual. This includes, but isn't limited to the following:

• name and age
• home address, business address, email address
• health, finances, education
• identifying numbers such as social security number, tax file number, drivers license, telephone number, mobile number
• race and ethnic origin
• DNA and blood type

Who does PIPEDA apply to?

PIPEDA applies to all private sector enterprises in Canada that collects, uses and/or discloses personal information, unless they are located in Alberta, British Columbia or Quebec. Why? these three provinces have strong privacy laws in place that are similar to PIPEDA.

What constitutes a private sector organization? A private sector organization is run by individuals or groups in order to turn a profit, they are not usually under government control. They include:

• sole proprietors
• partnerships
• small, medium and large companies

Some federally regulated organizations are also subject to PIPEDA. These organizations include:

• airports, aircraft and airlines;
• banks and authorized foreign banks;
• inter-provincial or international transportation companies;
• telecommunications companies;
• offshore drilling operations; and
• radio and television broadcasters.

Your responsibilities under PIPEDA

Schedule 1 of PIPEDA sets out 10 fair information principles that businesses must follow. These principles are:

1. Accountability
2. Identifying Purposes
3. Consent
4. Limiting Collection
5. Limiting Use, Disclosure and Retention
6. Accuracy
7. Safeguards
8. Openness
9. Individual Access
10. Challenging Compliance

1. Accountability

In order to comply with the first fair information principle your organization needs to:

• comply with all 10 fair information principles
• Appoint a person to be responsible for your PIPEDA compliance
• protect personal information held by your organization
• develop and implement best personal information practices

2. Identifying Purposes

In order to collect and use personal information under PIPEDA, your organization must have a reason for collecting the data. To comply with fair information principle 2 you will need to:

• Identify and document the purpose for collection of personal information.
• inform your customers of the reason you are collecting their personal information before or at time of collection.
• Obtain new consent if you require using their personal information for a new purpose.

In the case of online businesses, this can all be achieved by having a PIPEDA compliant privacy policy located on your website.

3. Consent

In order to collect, use and disclose personal information legally, you must obtain consent from your customers. In order to comply with fair information principle 3 you must:

• obtain meaningful consent from your customers for the collection, use and disclosure of their personal information
• to make consent "meaningful" you must explain what purpose you have for the collection of your customers information and what you will use it for.
• you may only obtain consent for use or disclosure that is necessary to fulfill a specified and legitimate purpose.
• how you seek consent depends on the circumstances and type of information you are collecting
• your customers may withdraw consent at any time, subject to legal and contractual obligations, and they must understand the implications of their withdrawal of consent.

For online businesses who require the collection of personal data to run their business, this can be obtained through a compliant privacy policy that includes the following:

• what personal information you collect
• what third parties, if any, the personal information is shared with
• the purpose for the collection of personal information
• what are the risks of harm or other consequences of collecting the personal data
• provide this information in a clear and easily accessible manner on your website

4. Limiting Collection

The fourth fair information principle requires that you collect only the personal information from your customers, that you require in order to fulfill a legitimate, identifiable purpose. To comply with this principle you need to:

• collect only the information you require
• be honest about the reasons you are collecting the personal information
• collect personal information by fair and lawful means

5. Limiting Use, Disclosure, and Retention

To comply with fair information principle 5 your business will need to:

• disclose any personal information you have collected for it's intended purpose only, unless otherwise required by law
• keep personal information only as long as you need it for the intended purposes
• be aware of what personal information you have, where it is stored and what you are using it for
• ensure you get new consent if you wish to use personal information for a new purpose
• collect, use and disclose personal information in a way the a reasonable person would deem appropriate
• have procedures for destroying personal information in place

6. Accuracy

In order for your business to comply with fair information principle 6, you must ensure that you minimize the possibility of using incorrect information when either making a decision about an individual or disclosing any personal information to a third party. In order to do this you should keep personal information as accurate and up to date as possible.

7. Safeguards

It is your responsibility to safeguard the personal information you have collected from your customers. In order to comply with this fair information principle 7 you will need to:

• protect personal information appropriate to it's sensitivity
• protect personal information against loss, theft and unauthorized access

You can achieve this by ensuring you have appropriate security safeguards in place. For information stored technologically, this may include, passwords, firewalls or encryption. For physical data this could include locked filing cabinets or alarm systems.

8. Openness

Your business needs to ensure that it makes clear what it's personal information management practices are. You must ensure you have a privacy policy outlining the collection, use, disclosure and security of personal data available for your customers to read and agree to.

In order to comply with fair information principle 8 you should:

• inform your customers that you have policies for managing personal information in place
• make your privacy policy easy to understand and readily available for your customers

9. Individual Access

Should your customers wish to access their personal information then they have this right and you need to comply. They also have the right to challenge accuracy and completeness of the personal information you hold. Should there be any errors they have the right to request for you to amend it.

In order that you comply with fair information principle 9, your business will need to :

• disclose what personal information you hold on request
• detail where the personal information was obtained from
• disclose who the personal information has been shared with, if anyone
• explain how the personal data has been used
• provide access to personal data at no, or minimal cost. If you are unable to provide personal data you need to be able to explain why not.
• correct any errors in personal information if applicable
• keep record of any disputes about personal data

10. Challenging Compliance

The final fair information practice requires that any individual must be able to make a complaint and challenge your compliance in regards to the 10 fair information principles. To ensure you are complying, you will need to:

• have complaint handling procedures in place
• give complainants information about what recourse they can take
• investigate all of the complaints you receive
• improve information handling practices if they are not complying

For all privacy related complaints in Canada you can go to : https://www.priv.gc.ca/en/report-a-concern/file-a-formal-privacy-complaint

Conclusion

PIPEDA is similar to many other privacy laws around the world. It's aim is to balance the need for personal data collection and use with the rights of the individual.

To ensure you comply with this Canadian law collect the minimum personal information you can from your customers, make sure you obtain their consent for the collection, use and disclosure of their information and be transparent about your businesses practices.

If you are an online business or have an online presence, you will be required to have a privacy policy on your website. Your privacy policy will need to disclose what personal information you collect, how you use this information, how it is stored, how you keep it secure and how long you hold it for. You will also want to ensure that you include your contact details so your customers can reach out to you if they have any concerns relating to their personal information.