November 3, 2022
The Ultimate Guide to PIPEDA Compliance
14 Min Read
The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian federal privacy law, introduced in April 2000. The law aims to regulate the use of personal information in commercial activity by private-sector organizations and outlines several key requirements for compliance.
PIPEDA, which is now more than 20 years old, has experienced several attempts at an overhaul. In fact, there have been two attempts within the past two years alone. In 2020, Bill C-11 for the Digital Charter Implementation Act (Bill C-11) was introduced seeking to reform private sector privacy legislation at a federal level in Canada. Bill C-11 died in 2021, after failing to pass through the House. In June 2022, Bill C-27 was introduced: a reworking of the failed Bill C-11. Bill C-27 would enact three new acts into Canadian law including the Consumer Privacy Protection Act (CPPA), the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act.
While any potential updates to federal privacy law in Canada may take some time to come to fruition, organizations that fall under the scope of PIPEDA still need to understand and implement its provisions. Let’s dive into the key areas of PIPDEA compliance and how to fulfill them.
Who does PIPEDA apply to?
Before you start building a comprehensive PIPEDA compliance program it is worth understanding if the law applies to your organization. The scope of PIPEDA clearly defines who is covered and there are a few questions you can ask yourself to identify whether you need to comply.
- Do you operate in the private sector?
- Do you collect, use, and disclose personal information?
- Is that for commercial or for-profit activity in Canada?
If you answered yes to all the above, you fall under the scope of PIPEDA and you are required to comply with its requirements. There are a few exemptions to PIPEDA’s scope to note:
- Federal government organizations listed under the Privacy Act
- The personal information of employees
- Information collected, used, and disclosed for:
- Personal purposes
- Journalistic purposes
PIPEDA is not the only privacy law in Canada; provincial privacy laws in Alberta, British Columbia, and Quebec, deemed as “substantially similar” to PIPEDA, come into play with exemptions applying where overlap with PIPEDA occurs.
How to comply with PIPEDA
What is PIPEDA compliance?
PIPEDA compliance means fulfilling your organization’s obligations in line with the provisions of the law and having the technical and organizational measures in place. As with any privacy law, compliance with PIPEDA is not a one-time exercise, nor can it be achieved through tick-box exercises. PIPEDA compliance is ongoing and certain areas of the law, such as privacy rights requests and breach response, need continued attention.
Understanding your data
The first essential step to comply with PIPEDA is understanding what information is considered personal information, what information your organization holds, and how the two compare.
First, let’s examine the definition of personal information under PIPEDA. Personal information covers any information about an identifiable individual. This includes information that is factual or subjective in nature, whether it is recorded or not.
In guidance issued by the Officer of the Privacy Commissioner of Canada (OPC) examples of personal information include:
- Age, name, ID numbers
- Ethnic origin
- Blood type
- Income, credit records, loan records
- Medical records
- Existence of a dispute between a consumer and a merchant
Developing a central data map is vital for your organization’s compliance program, enabling you to have a clear view into your data and which laws apply. Understanding PIPEDA’s definition of personal information can help you to apply the correct regulatory context to the information your organization has and ensure that requirements such as information provision requirements or privacy rights requests are met correctly.
In the case of PIPEDA compliance, organizations can also use an up-to-date data map to ensure processing activities align with and are in compliance with the ten Fair Information Principles that organizations are required to meet
PIPEDA’s 10 Fair Information Principles
Processing personal information in line with the ten Fair Information Principles set out by PIPEDA is essential for an organization’s compliance. The OPC describes the ten Fair Information Principles as the “ground rules” for processing and as such organizations must ensure they are being met.
The ten Fair Information Principles found under PIPEDA comprise of:
- Identifying purposes
- Limiting collection
- Limiting use, disclosure, and retention
- Individual access
- Challenging compliance
A deeper view into each of the ten Fair Information Principles can be found below.
Organizations should be responsible for the personal information they control and must appoint someone to be accountable for compliance with PIPEDA.
To meet the accountability principle, organizations should develop a privacy management program and relevant privacy policies. These should be reviewed at regular intervals to ensure ongoing compliance and staff should be trained to understand how their role intersects with the organization’s privacy requirements.
2. Identifying purposes
The purposes for the collecting personal information must be identified and documented before or at the time of collection. At the time of collection, individuals must be informed of the identified purpose and if the purpose for processing that personal information changes, new consent must be obtained.
Organizations must obtain “meaningful consent” to collect, use, or disclose an individual’s personal information. This means individuals must be informed of what they are consenting to, who the personal information is being shared with, and any potential risks.
The OPC highlights several conditions for collecting valid consent, including informing individuals in accessible ways, offering individuals the ability to withdraw consent, and ensuring the purposes for collection is considered appropriate.
4. Limiting collection
The collection of personal information must be limited to legitimate purposes and must be collected in a fair and lawful manner. Organizations should refer to the second FIP to ensure they are limiting collection of personal information to what is necessary for the identified purpose.
5. Limiting use, disclosure, and retention
Personal information must only be used or disclosed for the purposes for which it was originally collected and kept only as long as required to fulfill those purposes.
To comply with this principle, organizations should understand what information they have, where it is stored, and the purposes for its use or disclosure. Purposes for use and disclosure must be documented. For personal information that no longer fulfills a specified purpose, minimum and maximum retention periods should be applied
Organizations must endeavor to keep personal information accurate, complete, and up-to-date. This can be fulfilled through the development of appropriate policies to keep the information updated and will help minimize the risk of inaccurate personal information being processed.
Personal information must be protected through the implementation of effective security safeguards. When developing appropriate safeguards, organizations should consider the sensitivity of the personal information and ensure it is protected from loss, theft, and unauthorized access. This can be achieved through technical or physical measures but must be reviewed periodically to ensure the safeguards remain appropriate.
Organizations must make information relating to their data handling policies and practices available. Public policies should be easy to access and easy to understand. The OPC states, “Individuals should not be expected to decipher complex legal language in order to make informed decisions on whether or not to provide consent.”
Public policies should therefore be accessible in multiple formats and inform the individual of how their information is used or disclosed, information detailing who is responsible for privacy, and details for how individuals can make a complaint.
9. Individual access
Individuals have the right to request access to their personal information and contest the accuracy and completeness of the information.
On request, organizations must provide access to personal information, in addition to explanations relating to where the information was collected, its specified purpose, and any disclosures that have been made.
Access to an individual’s personal information must be provided free of charge and should be presented in several formats.
10. Challenging compliance
Individuals can challenge your organization regarding compliance with PIPEDA’s ten principles. Communications of this nature should be made directly to the person responsible for privacy at your organization and every complaint must be investigated.
Following a complaint, organizations need to also ensure that all complaints are documented and subsequent improvements to personal information handling practices are made. Individuals must be made aware of the outcome of the complaint, in addition to the steps taken to rectify the issue.
Individuals’ privacy rights are a key part of most modern data protection and privacy laws. PIPEDA is no different and bears similarities to common privacy rights.
- The right to be informed – While not explicitly referred to in PIPEDA as a right to be informed, organizations must provide identified purposes for processing to individuals, either orally or in writing.
- The right to access – Individuals have the right to request access to information relating to the existence, use, and disclosure of their personal information. Organizations must respond to an access request within a reasonable time frame and no later than 30 days from receipt. A response should be provided at minimal or no cost.
- The right to correction – Individuals have the right to request organizations to correct inaccurate records of personal information. Corrections must also be passed downstream to any third parties.
- The right to withdraw consent – Individuals have the right to withdraw consent at any time, however, organizations may retain personal information for the period in which it is necessary to fulfill the purpose for which it was collected.
- The right to erasure – The OPC has taken the position that individuals should have the ability to remove information that they have posted online. It is suggested that PIPEDA currently includes this right in relation to the right to withdraw consent.
- The right to lodge a complaint – Individuals have the right to file a complaint with the OPC if they believe an organization is in violation of PIPEDA.
Organizations covered by PIPEDA are required to include details of these privacy rights in their privacy notices, how these rights can be exercised, and details of how individuals can verify their identity when making requests.
A request intake system should be put in place for organizations to effectively manage and fulfill PIPEDA privacy rights requests. Before a request can be fulfilled, individuals may be required to verify their identity via the methods outlined in your organization’s privacy notice. Depending on the level of privacy program maturity, this could include email or SMS verification or an integration with a third-party verification tool.
Individuals also have the right to contest accuracy and request correction of their personal data. As a result, organizations should be able to find all the personal information related to the individual to ensure these requests are fulfilled in their entirety. This is where a complete and well-maintained data map can make privacy rights request fulfillment more efficient, streamlining the time taken to access or retrieve personal information related to the requestor.
To ensure Principle 7 is met, communication and fulfillment of privacy rights requests should be made through secure and encrypted response portals and all requests should be documented to further demonstrate compliance.
Establish a breach response process
PIPEDA includes mandatory breach reporting requirements that organizations must meet in certain circumstances. According to the OPC, a breach is where “there is a loss, unauthorized access to, use or disclosure of personal information.”
When a breach of security safeguards occurs, organizations must assess whether the breach has posed a “real risk of significant harm.” If it has, the organization has a mandatory requirement to report the breach to the OPC, and notify the affected individuals and relevant third parties.
Mandatory breach reports must be made to the OPC in writing, and contain certain information relating to the incident, and the steps taken after becoming aware of the incident.
A breach report must include:
- Cause, circumstances, and time of the breach
- A description of the personal information involved in the breach
- An approximate number of affected individuals
- Steps taken to reduce the risk of harm to affected individuals
- Steps that will be taken to notify affected individuals
- Contact details for the organization
When notifying affected individuals, the OPC suggests including the same information as the written report, in addition to information on how individuals can reduce the harm caused by the breach through measures such as changing passwords.
While mandatory reporting and notification help an organization with compliance and accountability, it does not reduce the risk of reputational damage as a result of a breach. In the event of a security breach, organizations of any size should develop an incident management playbook to be prepared and react appropriately. This includes having the appropriate breach intake forms in an easily accessible format and the proper processes in place to assess, investigate, and notify.
5-step PIPEDA compliance checklist
- Data mapping
- Establish a data discovery process – This can be done manually, but an automated solution can yield faster and more accurate results
- Add classification and regulatory context – Ensure each type of data is classified correctly and the correct laws are being applied
- Review regularly – Schedule routine data map reviews and audits to ensure it is accurate and up to date with the latest regulations
- Ensure personal information processing meets Fair Information Principles
- Understand your requirements – Ensure the organization understands the principles they must apply to collect, use, and disclose personal information
- Align principles to processing activities – Assess whether each principle can be applied to existing or planned processing activities
- Inform – Ensure privacy notices are up to date and inform individuals about the purposes of processing, use of personal information, and their right to access
- Establish a DSAR process
- Intake – Provide an accessible privacy rights requests intake method
- Verification – Build ID verification processes or integrate with third-party service
- Discovery – Scan data maps for personal data related to the requestor
- Redaction – Remove any instances of personal data related to other individuals or proprietary information
- Respond – Deliver the request to the requestor via a secure portal in an accessible format
- Develop a breach response process
- Intake – Provide an easily accessible intake method for incident reports
- Investigate – Investigate the incident. What has happened? What is the potential risk?
- Assess – Determine if the incident should be considered a breach
- Report – In the appropriate circumstances, make a report to the OPC, affected individuals, and third parties
- Remediate – Take the necessary steps to minimize the potential risk to affected individuals
- Document – Make a record of each incident report regardless of the severity
- Keep ahead of the curve
- Stay current – Keep on top of regulatory change to ensure your privacy program remains compliant
- Automate – Ditch manual processes for more streamlined automated solutions
- Everything all in one place – Use a centralized platform to embed PIPEDA compliance into your broader global privacy program and integrate with security, governance, and other teams
- Build trust – Go beyond compliance and what you have to do and start doing what you should do in order to build consumer trust
OneTrust solutions for PIPEDA compliance
The OneTrust Privacy & Data Governance Cloud offers complete solutions for organizations needing to comply with the requirements of PIPEDA. Data Mapping Automation helps to establish a foundation for your PIPEDA compliance initiatives through the automatic discovery of data, flagging risk and policy violations, and automated classification of personal data.
The Privacy Rights Automation module is an end-to-end solution for fulfilling privacy rights requests. The module includes dynamic intake forms and ID verification services, as well as the automated discovery and redaction of relevant personal information. Organizations can securely communicate with the requestor through an encrypted response portal.
Respond to breaches of security safeguards and meet PIPEDA’s mandatory breach reporting requirements with the Privacy Incident Management module, helping you effectively manage the entire breach management lifecycle.
OneTrust DataGuidance Research ensures organizations can stay ahead of the game with real-time regulatory developments, as well as access to thousands of pieces of legal research, reports, webinars, and more.
Request a free demo to see how OneTrust can be your comprehensive platform for PIPEDA compliance.