The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian law that oversees data privacy.
PIPEDA is applicable to personal information gathered, used, or shared by businesses. Essentially, entities that are subject to PIPEDA, which process personal information must adhere to 10 fair information principles.
The 10 Canada PIPEDA principles are;
- Identifying purposes
- Limiting Collection
- Limiting Use, Disclosure, and Retention
- Individual Access
- Challenging Compliance
The principle of accountability under PIPEDA obliges businesses to designate at least one individual whose duty is to ensure that you are compliant with this data privacy law.
It is important to ensure that your PIPEDA compliance appointee is qualified and has support to perform his/her duties.
Concerning this principle, Canada PIPEDA requires you to choose and outline the reasons why you are gathering a specific kind of data. The objective of this requirement is to ensure that you;
- Inform individual why you collect their information
- Adopt the required measures to avoid utilizing for different objectives
- Make consumers aware when you use the information collected for a different purpose such that you can seek fresh consent to use the data for a new purpose
If you are a data controller subject to Canada PIPEDA, you are obligated to seek implied or express consent, depending on the circumstances. The consent has to be meaningful. In some cases the implied consent is meaningful, and sometimes only the express consent is meaningful.
It is important to ensure that your data subjects are aware of what giving consent means and they do not feel coerced or duped into giving consent.
Additionally, you need to keep records of instances where you do not deem user consent unnecessary.
It is essential to review your data collection processes to differentiate between information that is absolutely necessary to collect from data that you do not need to collect.
This distinction is important because the fourth principle of Canada PIPEDA requires your business to only collect information that is strictly necessary, and consistent with the purposes for which your users consented.
Limiting Use, Disclosure, and Retention
To achieve compliance with Canada PIPEDA, you need to create policies and guidelines, which guarantee that you utilize consumer information for reasons that are in line with what your users consented to.
Similarly, you need to institute policies concerning the duration you intend to retain this data. Ideally, the duration should not exceed the time necessary period to execute the stated purposes of collection.
Conversely, if you employ this data to draw conclusions about a user, you are required to retain this information for a period considered enough to allow the user in question to review this information.
According to this principle, you are expected to ensure that all the personal information you collect is precise, complete, and updated as required for the stated purpose.
Compliance with Canada PIPEDA requirements in line with this principle is dependent on how you utilize the information you collect.
Ideally, you need to ensure the information you use to make inferences about users is updated to minimize the risk of making decisions about individuals using inaccurate data.
Considered one of the most crucial principles under Canada PIPEDA, you need to ensure that the information you collect is safe from unauthorized access, theft, copying, or modification.
It is important to note that the safety of user information is vital even when you are getting rid of records.
Primarily, the degree of protection should be equivalent to the level of sensitivity of the data you collect.
For this reason, your data protection measure can comprise physical access barriers such as passwords, corporate measures such as allowing access to specific members of staff, or technological approaches such as encryption.
Additionally, you need to include the name and contact data of the individual you appointed to facilitate compliance with PIPEDA.
Apart from this, you also need to provide information to users on how to access the data you have collected about them as well as how you share it.
In case a person submits a written request concerning their personal data, you must address this request with information concerning whether you have collected data about them, the type of data you have collected, how you utilized it, and the third parties that have had access to it.
Additionally, this PIPEDA principle requires you to allow users to determine whether the data you have about them is inaccurate or incomplete. In case they describe it as inaccurate or incomplete, you must allow them to correct or update it.
Essentially, you are required to give a full response within 30 days after the initial request.
The tenth Canada PIPEDA principle requires you to adopt measures to receive, review, and address complaints of non-compliance.
Typically, you are expected to examine the complaint and implement necessary measures in case you establish that the complaint is valid. In this context, you may need to modify your policies or processes.
The next step is to inform the complainant about the action taken as well as the steps they can take if they are not content with your response to the complaint.
Learn more about Canada PIPEDA with our comprehensive compliance guide to ensure that your business meets its data protection obligations.
Alternatively, book a call today and speak to a data protection expert.