The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian federal privacy law, introduced in April 2000. The law aims to regulate the use of personal information in commercial activity by private-sector organizations and outlines several key requirements for compliance.
PIPEDA, which is now more than 20 years old, has experienced several attempts at an overhaul. In fact, there have been two attempts within the past two years alone. In 2020, Bill C-11 for the Digital Charter Implementation Act (Bill C-11) was introduced seeking to reform private sector privacy legislation at a federal level in Canada. Bill C-11 died in 2021, after failing to pass through the House. In June 2022, Bill C-27 was introduced: a reworking of the failed Bill C-11. Bill C-27 would enact three new acts into Canadian law including the Consumer Privacy Protection Act (CPPA), the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act.
While any potential updates to federal privacy law in Canada may take some time to come to fruition, organizations that fall under the scope of PIPEDA still need to understand and implement its provisions. Let’s dive into the key areas of PIPDEA compliance and how to fulfill them.
Before you start building a comprehensive PIPEDA compliance program it is worth understanding if the law applies to your organization. The scope of PIPEDA clearly defines who is covered and there are a few questions you can ask yourself to identify whether you need to comply.
If you answered yes to all the above, you fall under the scope of PIPEDA and you are required to comply with its requirements. There are a few exemptions to PIPEDA’s scope to note:
PIPEDA is not the only privacy law in Canada; provincial privacy laws in Alberta, British Columbia, and Quebec, deemed as “substantially similar” to PIPEDA, come into play with exemptions applying where overlap with PIPEDA occurs.
What is PIPEDA compliance?
PIPEDA compliance means fulfilling your organization’s obligations in line with the provisions of the law and having the technical and organizational measures in place. As with any privacy law, compliance with PIPEDA is not a one-time exercise, nor can it be achieved through tick-box exercises. PIPEDA compliance is ongoing and certain areas of the law, such as privacy rights requests and breach response, need continued attention.
Understanding your data
The first essential step to comply with PIPEDA is understanding what information is considered personal information, what information your organization holds, and how the two compare.
First, let’s examine the definition of personal information under PIPEDA. Personal information covers any information about an identifiable individual. This includes information that is factual or subjective in nature, whether it is recorded or not.
In guidance issued by the Officer of the Privacy Commissioner of Canada (OPC) examples of personal information include:
Developing a central data map is vital for your organization’s compliance program, enabling you to have a clear view into your data and which laws apply. Understanding PIPEDA’s definition of personal information can help you to apply the correct regulatory context to the information your organization has and ensure that requirements such as information provision requirements or privacy rights requests are met correctly.
In the case of PIPEDA compliance, organizations can also use an up-to-date data map to ensure processing activities align with and are in compliance with the ten Fair Information Principles that organizations are required to meet
PIPEDA’s 10 Fair Information Principles
Processing personal information in line with the ten Fair Information Principles set out by PIPEDA is essential for an organization’s compliance. The OPC describes the ten Fair Information Principles as the “ground rules” for processing and as such organizations must ensure they are being met.
The ten Fair Information Principles found under PIPEDA comprise of:
- Identifying purposes
- Limiting collection
- Limiting use, disclosure, and retention
- Individual access
- Challenging compliance
A deeper view into each of the ten Fair Information Principles can be found below.
Organizations should be responsible for the personal information they control and must appoint someone to be accountable for compliance with PIPEDA.
To meet the accountability principle, organizations should develop a privacy management program and relevant privacy policies. These should be reviewed at regular intervals to ensure ongoing compliance and staff should be trained to understand how their role intersects with the organization’s privacy requirements.
The purposes for the collecting personal information must be identified and documented before or at the time of collection. At the time of collection, individuals must be informed of the identified purpose and if the purpose for processing that personal information changes, new consent must be obtained.
Organizations must obtain “meaningful consent” to collect, use, or disclose an individual’s personal information. This means individuals must be informed of what they are consenting to, who the personal information is being shared with, and any potential risks.
The OPC highlights several conditions for collecting valid consent, including informing individuals in accessible ways, offering individuals the ability to withdraw consent, and ensuring the purposes for collection is considered appropriate.
The collection of personal information must be limited to legitimate purposes and must be collected in a fair and lawful manner. Organizations should refer to the second FIP to ensure they are limiting collection of personal information to what is necessary for the identified purpose.
Personal information must only be used or disclosed for the purposes for which it was originally collected and kept only as long as required to fulfill those purposes.
To comply with this principle, organizations should understand what information they have, where it is stored, and the purposes for its use or disclosure. Purposes for use and disclosure must be documented. For personal information that no longer fulfills a specified purpose, minimum and maximum retention periods should be applied
Organizations must endeavor to keep personal information accurate, complete, and up-to-date. This can be fulfilled through the development of appropriate policies to keep the information updated and will help minimize the risk of inaccurate personal information being processed.
Personal information must be protected through the implementation of effective security safeguards. When developing appropriate safeguards, organizations should consider the sensitivity of the personal information and ensure it is protected from loss, theft, and unauthorized access. This can be achieved through technical or physical measures but must be reviewed periodically to ensure the safeguards remain appropriate.
Organizations must make information relating to their data handling policies and practices available. Public policies should be easy to access and easy to understand. The OPC states, “Individuals should not be expected to decipher complex legal language in order to make informed decisions on whether or not to provide consent.”
Public policies should therefore be accessible in multiple formats and inform the individual of how their information is used or disclosed, information detailing who is responsible for privacy, and details for how individuals can make a complaint.
Individuals have the right to request access to their personal information and contest the accuracy and completeness of the information.
On request, organizations must provide access to personal information, in addition to explanations relating to where the information was collected, its specified purpose, and any disclosures that have been made.
Access to an individual’s personal information must be provided free of charge and should be presented in several formats.
Individuals can challenge your organization regarding compliance with PIPEDA’s ten principles. Communications of this nature should be made directly to the person responsible for privacy at your organization and every complaint must be investigated.
Following a complaint, organizations need to also ensure that all complaints are documented and subsequent improvements to personal information handling practices are made. Individuals must be made aware of the outcome of the complaint, in addition to the steps taken to rectify the issue.
Individuals’ privacy rights are a key part of most modern data protection and privacy laws. PIPEDA is no different and bears similarities to common privacy rights.
Organizations covered by PIPEDA are required to include details of these privacy rights in their privacy notices, how these rights can be exercised, and details of how individuals can verify their identity when making requests.
A request intake system should be put in place for organizations to effectively manage and fulfill PIPEDA privacy rights requests. Before a request can be fulfilled, individuals may be required to verify their identity via the methods outlined in your organization’s privacy notice. Depending on the level of privacy program maturity, this could include email or SMS verification or an integration with a third-party verification tool.
Individuals also have the right to contest accuracy and request correction of their personal data. As a result, organizations should be able to find all the personal information related to the individual to ensure these requests are fulfilled in their entirety. This is where a complete and well-maintained data map can make privacy rights request fulfillment more efficient, streamlining the time taken to access or retrieve personal information related to the requestor.
To ensure Principle 7 is met, communication and fulfillment of privacy rights requests should be made through secure and encrypted response portals and all requests should be documented to further demonstrate compliance.
Establish a breach response process
PIPEDA includes mandatory breach reporting requirements that organizations must meet in certain circumstances. According to the OPC, a breach is where “there is a loss, unauthorized access to, use or disclosure of personal information.”
When a breach of security safeguards occurs, organizations must assess whether the breach has posed a “real risk of significant harm.” If it has, the organization has a mandatory requirement to report the breach to the OPC, and notify the affected individuals and relevant third parties.
Mandatory breach reports must be made to the OPC in writing, and contain certain information relating to the incident, and the steps taken after becoming aware of the incident.
A breach report must include:
When notifying affected individuals, the OPC suggests including the same information as the written report, in addition to information on how individuals can reduce the harm caused by the breach through measures such as changing passwords.
While mandatory reporting and notification help an organization with compliance and accountability, it does not reduce the risk of reputational damage as a result of a breach. In the event of a security breach, organizations of any size should develop an incident management playbook to be prepared and react appropriately. This includes having the appropriate breach intake forms in an easily accessible format and the proper processes in place to assess, investigate, and notify.
- Data mapping
- Ensure personal information processing meets Fair Information Principles
- Establish a DSAR process
- Develop a breach response process
- Keep ahead of the curve
The OneTrust Privacy & Data Governance Cloud offers complete solutions for organizations needing to comply with the requirements of PIPEDA. Data Mapping Automation helps to establish a foundation for your PIPEDA compliance initiatives through the automatic discovery of data, flagging risk and policy violations, and automated classification of personal data.
The Privacy Rights Automation module is an end-to-end solution for fulfilling privacy rights requests. The module includes dynamic intake forms and ID verification services, as well as the automated discovery and redaction of relevant personal information. Organizations can securely communicate with the requestor through an encrypted response portal.
Respond to breaches of security safeguards and meet PIPEDA’s mandatory breach reporting requirements with the Privacy Incident Management module, helping you effectively manage the entire breach management lifecycle.
OneTrust DataGuidance Research ensures organizations can stay ahead of the game with real-time regulatory developments, as well as access to thousands of pieces of legal research, reports, webinars, and more.
Request a free demo to see how OneTrust can be your comprehensive platform for PIPEDA compliance.