Personal Information Protection and Electronic Documents Act (PIPEDA)
- Lawfulness, Fairness and Nondiscrimination
- Transparency and Free Access
- Purpose Specification, Use Limitation and Suitability
- Data Minimisation, Storage Limitation and Accuracy
- Security and Prevention
- Accountability and Recordkeeping
- Data Protection Officer
- Privacy by Design
- Data Subject Rights
- Vendor Management
- Incident & Breach
The Personal Information Protection and Electronic Documents Act (PIPEDA) applies to the collection, use, or disclosure of personal information in the course of a commercial activity. PIPEDA applies to every organization that 1) the organization collects, uses, or discloses personal information in the course of commercial activities; or 2) is about an employee of, or an applicant for employment with, the organization and that the organization collects, uses, or discloses in connection with the operation of a federal work, undertaking or business.
PIPEDA does not apply:
- to any government institution to which the Privacy Act applies (e.g. ,
- to any individual if personal information is is collected, used, or disclosed for personal or domestic purposes, and no other purpose; or
- to any organization if personal information that the organization collects, uses, or discloses is for journalistic, artistic, or literary purposes, and no other purpose
- Commercial activity: means any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.
- Federal work, undertaking, or business: any work, undertaking or business that is within the legislative authority of Parliament (e.g. trans-provincial railway, canals, telegraph, maritime/ships anywhere in Canada, ferries, airplanes, radio broadcasting station, a work wholly situated in one province, etc.)
- Personal Information: any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form, such as
PIPEDA Fair Information Principles
Schedule 1 of PIPEDA list 10 fair information principles that businesses must follow. These principles track closely to the OECD Principles. The principles are:
- Identifying Purposes
- Limiting Collection
- Limiting Use, Disclosure, and Retention
- Individual Access
- Challenging Compliance
Lawfulness, Fairness and Nondiscrimination
Subject organizations must abide by Principle 4 (Limiting Collection), which states that “information shall be collected by fair and lawful means.” The principle is intended to prevent organizations from collecting information by misleading or deceiving individuals about the purpose for which information is being collected.
PIPEDA Principle 3 (Consent) focuses on consent. Under PIPEDA the “knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.” Principle e list a number of circumstances in which personal information can be collected, used, or disclosed without the knowledge and consent of the individual.
Circumstances where knowledge and consent are not required:
- Where legal, medical, or security reasons may make it impossible or impractical;
- Where information is being collected for the detection or and prevention of fraud for law enforcement
- Seeking consent may be impossible or inappropriate when the individual is a minor, seriously ill, or mentally incapacitated
- Where organizations do not have a direct relationship with the individual (e.g. non-profit organization obtaining mailing list from another organization. Here the organization providing the list would be expected to obtain consent prior to sharing the list).
Consent is also dealt with in Section 6 of Division 1, which describes “valid consent.” The consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose, and consequences of the collection, use or disclosure of the personal information to which they are consenting. As with Principle 3, Section 6 also lists several exceptions to the knowledge and consent requirement.
Form of Consent
- Sensitive Information: An organization should generally seek express consent
- Less Sensitive Information: implied consent generally appropriate
- Consent can also be given by an authorized representative
Office of the Privacy Commissioner of Canada
Transparency and Free Access
Under PIPEDA Principle 8 (Openness), an organization must “make readily available to individuals specific information about its policies and practices relating to the management of personal information.” An organization must also be open about their policies and practices with respect to the management of personal information.
Principle 8 also states that individuals must be able to acquire information about an organization’s policies and practices without unreasonable effort. Furthermore, this information must be made available in a form that is generally understandable.
Principle 9 (Individual Access) deals with the rights of individuals. According to Principle 9, an organization must respond to an individual’s request within a reasonable time and at minimal or no cost to the individual.
Purpose Specification, Use Limitation and Suitability
Appropriate Purposes and Fairness
Principle 2 (Identifying Purpose) states that the purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected. PIPEDA applies a “reasonableness” test for the basis of collecting personal information. Specifically, an organization may collect, use, or disclose personal information only for a purposes that a reasonable person would consider are appropriate in the circumstances. S.C. 2000, c.5., Div. 1, 5(3).
Principle 5 (Limiting Use, Disclosure, and Retention) states that personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. If an organization uses personal information for a new purpose, the organization must document this purpose. Organizations should also develop guidelines and implement procedures that include the minimum and maximum retention periods. Personal information that is no longer required to fulfill the identified purpose should be destroyed, erased, or made anonymous.
Data Minimisation, Storage Limitation and Accuracy
Principle 4 (Limiting Collection) states that the collection of personal information must be limited to that which is “necessary for the purposes identified by the organization.” An organization must not collect personal information indiscriminately. According to Principle 5 (Limiting use, Disclosure, and Retention) personal information must not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. In line with Principle 4 (Limiting Collection), personal information must be retained only as long as necessary for the fulfillment of those purposes. As stated above, personal information that is no longer required to fulfill the identified purpose should be destroyed, erased, or made anonymous.
Principle 6 (Accuracy) states that personal information must be “as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.” As a base, information must be sufficiently accurate to minimize the possibility that in appropriate information may be used to make a decisions about the individual. Beyond that, the extent to which information must be made accurate varies depending on the interests of the individual and the usage of such information. As a general matter, information that is used on an on-going basis, including information that is disclosed to third parties, should generally be accurate, unless certain limits are clearly set out.
Security and Prevention
Principle 7 (Safeguards) of PIPEDA addresses security safeguards. An organization must ensure that personal information is protected by security safeguards appropriate to the sensitivity of the information. Such security safeguards must protect against loss or theft, unauthorized access, disclosure, copying, use, or modification. PIPEDA does not contain an exhaustive list of safeguard, but does describe three “methods” of protection. These methods include:
- Physical Measures (e.g. locked filing cabinets and restricted access to offices);
- Organizational Measures (e.g. security clearances and limiting access on a “need-to-know” basis; and
- Technological Measures (e.g. the use of passwords and encryption)
Organizations must make their employees “aware of the importance of maintaining the confidentiality of personal information.” Lastly, Principle 7 requires organizations to use care when disposing or destroying personal information, to prevent unauthorized parties from gaining access to the information.
Accountability and Recordkeeping
Principle 1 of PIPEDA is Accountability. Accountability for compliance with PIPEDA rests with the designated individuals, although others may be involved to work with, or delegated to work on behalf of, the designated individuals. An organization must make the identity of the designated individual(s) known upon request. An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing.
An organization is also responsible for:
1) implementing procedures to protect personal information (see Security);
2) establishing procedures to received and respond to complaints and inquiries (see Principle of Openness and Data Subject Rights);
3) training staff and communicating to staff information about the organization’s policies and practices; and
4) developing information explain the organization’s policies and procedures.
PIPEDA explicitly and implicitly requires organizations to maintain records of the organization’s collection and processing of personal information.
According to Division 3, the Commissioner may audit the personal information management practices of an organization if the Commissioner has reasonable grounds to believe that the organization has contravened Division 1 (Protection of Personal Information) or 1.1 (Breaches of Security Safeguards), or the PIPEDA Principles (see Schedule 1). As part of its audit, the Commissioner may compel the production of any records that the Commission considers necessary for the audit. This requirement casts a wide net as far as the information that may be required by the Commissioner, thus it becomes imperative upon an organization to maintain records of its compliance with PIPEDA.
According to Division 1, an organization must keep and maintain a record of every breach of security safeguards involving personal information under its control. This is an explicit requirement to maintain records and may also be a part of the records requested by the Commissioner in the event of an audit.
Data Protection Officer
While PIPEDA does not specifically mention a “data protection officer” (DPO), Principle 1 (Accountability), does specify that an organization must “designate an individual or individuals who are accountable for the organization’s compliance” with the PIPEDA principles. According to Principle 1, other individuals within the organization may be responsible for the day-to-day collection and processing of personal information. The identity of the designated individual(s) needs to be made known upon request. Furthermore, in Principle 10 (Challenging Compliance), individuals challenging an organization’s compliance with PIPEDA should be able to address their challenge to the designated individual(s).
Privacy by Design
“Privacy by design” (the approach to embed privacy into the design and development of new products and services) was developed and led by Ann Cavoukian, Ph.D, the former Information and Privacy Commissioner for Ontario, in the mid 1990s. Despite Canada being the conceptual birthplace of “privacy by design”, it is not explicitly mentioned or incorporated in the original text of PIPEDA.
Data Subject Rights
Principle 9 (Individual Access), lists several rights of individuals with respect to the existence, use, and disclosure of his or her personal information by an organization. Principle 10 (Challenging Compliance) provides for procedures by which an individual may exercise his or her right to challenge an organization’s noncompliance. An organization must respond to an individual’s request within a reasonable time and at minimal or no cost to the individual.
- Right to be informed/access: An individual has a right to be informed of the existence, use, and disclosure of his or her information. Upon request, the organization shall allow the individual access to this information. Principle 9.
- Right to accuracy/rectification: An individual has a right to challenge the accuracy and completeness of the information. When an individual successfully demonstrates the inaccuracy or incompleteness of personal information, the organization must amend, correct, delete, or add (to) the information. Principle 9.
- Right to withdraw consent: According to Principle 3 (Consent), an individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. Furthermore, the organization must inform the individual of the implication of such withdrawal.
- Right to challenge compliance: Organizations must put procedures in place to receive and respond to complaints or inquiries from individuals about the organization’s policies and practices relating to the handling of personal information. The complaint procedures should be easily accessible and simple to use. Principle 10.
An individual may also file a written complaint with the Commission against an organization for contravening PIPEDA.
PIPEDA casts a wide net with respect to an organization’s relationship with third parties. PIPEDA does not distinguish between processors and vendors. According to Principle 1 (Accountability), the organization is responsible for personal information in its possession or custody, including information transferred to a third party. The organization must use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.
Incident & Breach
Division 1.1 of PIPEDA (Breaches of Security Safeguards) establishes certain notification requirements in the event of a breach. A breach is defined as “the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards that are referred to in [Principle 7 (Safeguards)].”
The notice/reporting requirements require a determination of “significant harm.” The definition of significant harm includes “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss or property.” PIPEDA also lists several factors relevant to determining whether a breach creates a “real risk of significant harm”:
- The sensitivity of the personal information involved in the breach;
- The probability that the personal information has been, is being, or will be misused; and
- Any other prescribed factor
The chart below summarizes the notification/reporting requirements for a notifying organization:
Party to be reported/notified Commissioner Individual Any other organization, a government institution or a part of a government institution of the breach Form of communication Report Notification Notification Standard real risk of significant harm to an individual. real risk of significant harm to the individual. An organization that notifies an individual of a breach of security safeguards under subsection 10.1(3) shall notify any other organization if the notifying organization believes that the other organization or the government institution or part concerned may be able to reduce the risk of harm that could result from it or mitigate that harm, or if any of the prescribed conditions are satisfied. Requirements The report shall contain the prescribed information and shall be made in the prescribed form and manner as soon as feasible after the organization determines that the breach has occurred. Content
sufficient information to allow the individual to understand the significance to them of the breach and to take steps, if any are possible, to reduce the risk of harm that could result from it or to mitigate that harm.Form and Manner
conspicuous and shall be given directly to the individual in the prescribed form and manner, except in prescribed circumstances, in which case it shall be given indirectly in the prescribed form and manner.Time
as soon as feasible after the organization determines that the breach has occurred
As soon as feasible after the organization determines that the breach has occurred.
In Canada, it is mandatory to report ‘notifiable’ personal data breaches involving loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards (PIPEDA Part 1, Clause 2(1)). Furthermore, the breach is ‘notifiable’ if it is reasonable to believe that it creates a real risk of significant harm to the individuals. The sensitivity of the personal information involved and the probability of its misuse play a key role in the risk assessment.
Is it Mandatory to Notify Individuals?
Is it Mandatory to Notify Regulator?
As soon as feasible.
Office of the Privacy Commissioner of Canada
30, Victoria Street
Breach Notification Format
The notification to individuals must include enough information to allow the individual to understand the significance of the breach to them and to take steps (if possible) to mitigate the harm. The Breach of Security Safeguards Regulations stipulate the mandatory notification content, individuals can be contacted either directly (phone, email etc.) or indirectly (public communication). The breach notice can be submitted to the Office of the Privacy Commissioner either by email or by post or by hand using Commissioner’s breach reporting form.
Personal Information Protection and Electronic Documents Act (PIPEDA)
S.C. 2000, c.5
The Personal Information Protection and Electronics Documents Act (PIPEDA) is Canada’s comprehensive federal data protection legislation.
Last Updated: July 30, 2019
OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit OneTrust.com or connect on LinkedIn, Twitter and Facebook.