Introduction
The Personal Information Protection and Electronic Documents Act, also known as PIPEDA, is the federal law in Canada that governs the collection and processing of personal data and information during business activities. This Act mirrors the Canadian Standards Association’s Model Code and is the foundation for assessing privacy compliance. The fact that PIPEDA is intended to maintain Canada’s data breach notification requirements in line with those of its trading partners, particularly the EU, is another crucial feature.
PIPEDA applies to all private sector organisations and aims to balance the privacy rights of individuals with the needs of organisations that collect and use their data. Under the PIPEDA Act, personal information refers to Personal health information, Cookie data, Loan records, ID and address, etc. What is generally not considered personal information can include government information, a person’s business contact information, certain information about public servants, etc. One of the most essential requirements under the PIPEDA Act is obtaining meaningful consent, in which individuals are informed clearly about how and why their data is being collected and how it will be used or disclosed if saved by the organisation. Currently, the Act cannot directly make orders, but non-compliance can lead to reputational harm, followed by OPC investigations and federal court applications.
Fair Information principles in PIPEDA are the foundation of Canada’s private sector privacy law, which guides organisations on how to collect, use and disclose users’ personal information in a transparent and accountable way. They were adopted from the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data 1980. Below is a breakdown of the Fair Information Principles:
Fair Information Principles in PIPEDA
Accountability:
PIPEDA’s Accountability principle states that every organisation in compliance with the Act is responsible for personal information under its control and must designate an individual to ensure compliance. This principle requires organisations to implement procedures to protect information, issue documented policies, create privacy impact assessments, and create an internal audit trail. Each private company that follows the guidelines of the PIPEDA is responsible for processing personal information that has been transferred to a third party, and the company must enter into contracts if necessary to safeguard the information processed by the third party.
Example: The Royal Bank of Canada publishes its Chief Privacy Officer’s name and contact details on its privacy policy page. This officer oversees the bank’s compliance with privacy obligations and investigates complaints.
Identifying Purposes:
Principle 2 delves into identifying the purposes for which the organisation collects user information. This principle mandates the documentation of purposes for which the personal data of the individual is stored in accordance with the Openness principle and the Individual Access principle. The purpose should be clearly informed to the individuals at the time of collection, and depending on how information is collected, it can be done orally or in writing.
Example: Canada Post states on its website that when customers sign up for package tracking, their email is collected only to send delivery notifications and not used for marketing without explicit consent. When the personal information has been collected for a different purpose and is to be used for a purpose not previously identified, unless required by law, the individual’s consent is required. The people collecting personal information should know the purpose and be capable of explaining it to the individuals.
Consent:
Consent of the individual is required before the collection and use of personal data, except in cases where the government collects it to prevent fraud and law enforcement. Principle 3 requires the organisations to make reasonable efforts to ensure that the individual is informed before collecting personal data. Any authorised representative of the individual can also give consent.
Specific prescribed ways in which an individual may give consent are:
- Using an application to seek consent and collect information.
- A check box that allows individuals to request that their names and addresses not be shared with third parties.
- Orally through calls.
- At the time when an Individual uses a product or service.
Everyone has the right to withdraw consent at any time, subject to a reasonable notice. The organisation must inform the individual about the legal implications due to the withdrawal of consent. Air Canada uses a checkbox for passengers booking online to consent to receiving promotional offers.
Limiting Collection:
Under the Limiting Collection principle, the amount and type of information collected should be strictly limited to what is necessary. No deceptive or intrusive methods can be used when gathering data, and it should be done fairly and legally.
Example: LinkedIn limits profile creation data to essential personal details without requesting unnecessary data like religion. This policy reflects the commitment of the organisation by stating that only needed fields are collected and ties back to the principle of openness, which details what is collected, and to make sure that the collection is reasonable.
Limiting Use, Disclosure, Retention:
The limiting use principle provides that personal information should only be used for the disclosed identified purposes, and the companies should refrain from using personal information for purposes not disclosed to the user previously. Companies should have written rules on data retention and ensure secure data deletion once the purpose has been fulfilled. This principle mandates that personal information used to make a decision about an individual, shall be retained only until the individual can access the information after the decision has been made. The company must have a minimum and maximum period of holding user data, and prolonging the period for holding user data may lead to an inspection.
Accuracy:
PIPEDA’s Accuracy principle requires that personal data that has been collected is up to date and accurate for the purpose it is intended to be used. The extent of accuracy and how the information is used should be cautiously handled, as organisations typically, when updating and merging user data, tend to make errors. Companies should also create necessary provisions for users to update their data from time to time in pursuance of the changes they undergo. Every organisation must ensure that personal data being handed to third parties is updated and accurate unless limits to the requirement for accuracy are set out.
Example: Telus Mobility allows customers to log in to their account portal and update address, phone number and payment details, ensuring accurate billing and service delivery.
Safeguards:
Personal information should always be protected with appropriate safeguards, with emphasis based on the importance of the information. Principle 7 provides for safeguards against unauthorised access, copying, modification, and disclosure. The nature of safeguards depends on the severity of the data; more sensitive information should be guarded with a higher level of protection. Organisations must protect the information they store, regardless of the format in which it is held. Some of the methods of protection include:
- Physical measures such as restricted access.
- Organisational methods include limiting access and security clearances.
- Technological measures such as the use of passwords and encryption.
Employees must be trained to practise care and caution when disposing of or destroying personal information to prevent unauthorised parties from gaining access to this information.
Openness:
Organisations and companies should maintain openness about their policies concerning the management of personal information; all users must be able to acquire information about the company’s policies and practices without reasonable effort. Essentially, people should be able to access how a company or organisation handles data, the identity of the accountable person, the description of information being held by the company and the policy relating to disclosure to affiliates.
Example: Shopify maintains a comprehensive and easy-to-navigate privacy page explaining why information is collected and how it will be used. In the present world, it is a good practice to include a summary of the process written in simple language and made available to people.
Individual Access:
The 9th fair information principle governs individual access and requires organisations to adopt policies and procedures to respond to requests for personal information. Request for personal details towards any staff member must be directed to the designated staff member responsible for processing it. Organisations must allow access to data and maintain records of who got the data and for what purpose. Many companies set up a timeframe to provide information within 30 days of the request. In the same way, if access is denied, it must be explained why and what recourse is available to them, and an account of the dismissal must be maintained.
Challenging Compliance:
The 10th principle, called challenging compliance, requires businesses to have policies and procedures to receive complaints and questions about how the organisation handles the data. Businesses are mandated to allow individuals to bring complaints and concerns to the designated individual responsible for compliance with PIPEDA. Companies must investigate all complaints and modify their actions to prevent the issue from recurring. The privacy commissioner’s office advises recording all complaints, acknowledging receipts, and informing complainants of the outcomes. For good practice, dispute resolution must be cited, and resources must be made available if an individual wants to approach the company for any issue relating to personal information.
Example: Tim Hortons came under scrutiny after its app tracked user geolocation data. After investigations, they would provide a channel for customers to lodge privacy complaints and commit to corrective measures.
Conclusion
Drafting a privacy policy can feel like a dry, legalistic chore. But here’s the thing, it’s so much more than just ticking a box. For any business operating in Canada, a PIPEDA-compliant privacy policy isn’t just about avoiding penalties, it is about establishing trust. By weaving in the 10 Fair Information Principles laid out by PIPEDA, you’re not just meeting legal obligations, you’re showing a deep commitment to responsible data handling. This commitment, in turn, becomes a cornerstone of your brand’s credibility.
Here’s a quick check to get you started:
Assess your current policy: Does it truly measure up against the 10 Fair Information Principles?
Designate a Privacy Officer: Educate your entire team on what responsible data handling truly means.
Make consent meaningful: Are you truly getting clear, informed consent from your users? Is it easy for them to understand why and how their data is being used? Transparency is key.
Need support? Find us at www.tsaaro.com to ensure your policy is legally sound and future ready.
