What is PIPEDA and how can PIPEDA compliance requirements apply to a business operating in Canada? Keep reading to find out.
What does PIPEDA stand for? Personal Information Protection and Electronic Documents Act.
What Is PIPEDA?
PIPEDA (Personal Information Protection and Electronic Documents Act) is the federal privacy legislation for private-sector organizations in Canada. PIPEDA became law in 2000 to promote trust and data privacy in e-commerce. It has since expanded to include other industries such as banking, media and entertainment, and the healthcare sector.
PIPEDA governs the collection, use, and disclosure of personally identifiable information (PII) while recognizing individuals’ right to privacy regarding their personal information. It also regulates the need for organizations to collect, use, or disclose PII in a way that would be considered appropriate.
Similar to the European Union’s General Data Protection Regulation (GDPR), under PIPEDA individuals have the right to access PII held by an organization, determine who is responsible for collecting it, understand why it is being collected, and challenge its accuracy.
PIPEDA is designed to keep Canada’s data breach notification requirement consistent with the country’s trading partners. According to a regulatory impact analysis by the Canadian government in 2017, the law is currently deemed to provide an equivalent level of privacy protection to GDPR, which allows for the free movement of personal data from the EU to Canadian organizations.
What Is Personal Information (PII) Under PIPEDA?
PIPEDA in Canada governs the use, collection, and disclosure of personal information. According to the Act, PII includes factual or subjective information, whether recorded or not, about an identifiable individual. This includes PII in any form, which falls into the following categories:
- Age, name, and ID number
- Race, nationality, or ethnicity
- An individual’s blood type
- Marital status
- Medical information (comparable to the Health Insurance Portability and Accountability Act [HIPAA] in the U.S.)
- Opinions, assessments, and comments
- Social status
- Medical, education, and employment records
- Social insurance number or driver’s license
- Employee files, credit history, and financial data
- Disciplinary actions
What Is Not Covered Under PIPEDA?
Generally, details that are not considered PII under PIPEDA can include:
- Personal information handled by federal government institutions listed under the Canadian Privacy Act
- The provincial or territorial governments and their agents
- Business contact information that is acquired, used, or disclosed solely to communicate with that person about their employment or profession
- An individual’s acquisition, use, or disclosure of personal information strictly for personal purposes
- An organization’s acquisition, use, or disclosure of personal information for non-commercial use, such as journalistic, artistic, or literary purposes
Why Is PIPEDA Compliance Important?
Any private-sector organization that collects, stores, and disseminates PII, including protected health information (PHI), as part of their commercial activities within Canadian borders must comply with PIPEDA. The act puts emphasis on commercial activities specific to the provisions of the law. It is worth noting that there are many commercial activities, but not all are subject to PIPEDA.
Under PIPEDA, commercial activity refers to a particular transaction, act, or conduct, or any regular course of conduct that is commercial in nature, including selling, bartering, or leasing of donor, membership, or other fundraising lists. Any business registered in Canada that meets this definition of a commercial activity must demonstrate PIPEDA compliance. Overseeing this compliance is the Office of the Privacy Commissioner of Canada.
Even for businesses domiciled in another country, PIPEDA can apply to them. Specifically, based on PIPEDA provisions related to international trade, all organizations that process data from Canadian residents for commercial purposes must abide by the privacy law of Canada.
Organizations Not Subject to PIPEDA Compliance
PIPEDA compliance does not apply to nonprofit organizations, charity groups, and political parties unless they engage in commercial activities besides their core operations.
PIPEDA may also not necessarily apply to provincially regulated organizations and activities that have adopted similar privacy legislation. Provinces with similar legislation to PIPEDA include Quebec, British Columbia, Alberta, Ontario, New Brunswick, Nova Scotia, Newfoundland, and Labrador.
PIPEDA also applies to interprovincial and international transactions by organizations that flow across borders and organizations regulated by the Canadian federal government. These include telecommunication companies, banks, and transport companies.
For provinces with similar legislation, the law is still applicable to PII collected, used, or disclosed by federally regulated organizations—namely, federal works, undertakings, or businesses (FWUBs). These include:
- Inter-provincial trucking
- Airports and airlines
- Radio and television stations
- Telecommunication companies, including internet service providers, cellular or landline companies, and cable companies
- Railways, canals, pipelines, and ferries that cross borders
What Is the Geographical Scope of PIPEDA?
PIPEDA applies to private-sector organizations in Canada that are federally regulated and collect, use, or disclose personal information in their commercial activities. These organizations need not be headquartered in Canada. The law applies to them as long as they collect, use, or disclose personal information belonging to Canadians and if the company has operations in Canada. This is regardless of the province or territory in which the business is based and whether the province in which a business is based has similar legislation regarding data privacy.
What Are the 10 Principles of PIPEDA?
To comply with PIPEDA, an organization must follow PIPEDA’s 10 fair information principles. These principles outline the standards for the collection, use, and disclosure of personal information and users’ rights. These principles are the basic ideas upon which the legislation is based.
Accountability. Organizations are responsible for the personal information under its control and must appoint a person who is accountable for the organization’s compliance with PIPEDA. This includes any information that may be transferred to a third-party vendor for processing.
Identifying purposes. The purposes for which PII is collected must be identified by the organization at or before the information is collected.
Consent. The knowledge and consent of an individual are required before collection, use, or disclosure of PII. Organizations can implement opt-in or opt-out options to obtain individuals’ consent depending on the sensitivity of the collected personal information.
Limiting collection. The collection of PII is limited to that which is necessary for the purposes identified by the collecting organization. The information must be collected using fair and lawful means.
Limiting use, disclosure, and retention. PII must not be used or disclosed for purposes other than those for which it was collected. This is with the exception of the individual’s consent or as required by law. PII must be retained only as long as necessary to fulfill those purposes.
Accuracy. PII collected by an organization must be accurate, complete, and up to date as is necessary for the reasons for which it is intended to be used.
Safeguards. PII must be protected by security safeguards appropriate to the sensitivity of the information.
Openness. An organization must make specific information about its policies and practices relating to their management of PII available to those who request it.
Individual access. Upon a request, an individual must be informed of the existence, use, and disclosure of any PII and must be given access to that information. An individual must be able to challenge the accuracy and completeness of the information and can have it amended as needed.
Challenging compliance. An individual must be able to address any challenge regarding compliance with these principles to the designated individual accountable for the organization’s compliance with the data laws.
How Is PIPEDA Different From GDPR?
Canada’s PIPEDA and the EU’s GDPR are similar laws because they both regulate data privacy and give users more control over their data. However, there are some critical differences between the two:
Jurisdiction. GDPR applies to all European Economic Area (EEA) businesses and non-EEA businesses that provide services or monitor the behavior of EEA residents. PIPEDA, however, doesn’t apply in every Canadian province. It doesn’t necessarily apply to provinces with similar legislation in place.
Application. While PIPEDA applies to many private-sector organizations processing personal data for commercial purposes, GDPR applies to any organization that collects and uses PII belonging to EEA residents.
Consent. While the GDPR requires active consent from users for data collection and processing, PIPEDA allows implied or explicit consent depending on how sensitive the information being collected is.
These two privacy laws may differ in scope and compliance requirements, but they emphasize accountability and transparency on the part of the organizations collecting personal data. Whether an organization operates in Europe or Canada, it must follow the applicable data privacy law requirements to avoid legal consequences. In response, organizations must apply rigorous cybersecurity risk management protocols.
Data Breaches Under PIPEDA
As of November 2018, organizations subject to PIPEDA that experience a data breach need to determine whether the access or loss of personal information can cause a risk of significant harm to individuals. A data breach, according to PIPEDA, refers to the loss of, unauthorized access to, or unauthorized disclosure of PII held by an organization.
PIPEDA regulatory compliance requires that upon awareness that there is a data breach within an organization, the organization needs to report the breach to the Office of the Privacy Commissioner of Canada by filling in a breach report form.
An organization must also notify the affected individuals about the breach as soon as possible. The law requires that organizations keep records of all data breaches for two years. Failure to follow the breach notification procedures amounts to a violation of PIPEDA.
PIPEDA and Sensitive Content Communications
In an increasingly digital world, compliance with data privacy laws such as PIPEDA is not only a legal requirement but a good business practice. Digital communications of PII within, into, and out of organizations must heed the mandates found in PIPEDA. Failure to comply or demonstrate compliance with PIPEDA can attract substantial fines and penalties.
The Kiteworks platform unifies sensitive content communications—email, file sharing, file transfer, managed file transfer, web forms, and application programming interface (API) protocols—into one channel. Consolidated metadata enables organizations to manage risk and proactively identify potential privacy and compliance issues by applying uniform security and governance policies that track and control where data is going, who is accessing it, and how it is shared. This Private Content Network enables streamlined governance, strict compliance, proactive threat detection, and fast incident response.
Schedule a custom demo of the Kiteworks platform to learn how it unifies, tracks, controls, and secures PII.
Get email updates with our latest blogs news