All You Need to Know About The 10 PIPEDA Principles
The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian law that oversees data privacy.
PIPEDA is applicable to personal information gathered, used, or shared by businesses. Essentially, entities that are subject to PIPEDA, which process personal information must adhere to 10 fair information principles.
The 10 Canada PIPEDA principles are;
- Identifying purposes
- Limiting Collection
- Limiting Use, Disclosure, and Retention
- Individual Access
- Challenging Compliance
The principle of accountability under PIPEDA obliges businesses to designate at least one individual whose duty is to ensure that you are compliant with this data privacy law.
It is important to ensure that your PIPEDA compliance appointee is qualified and has support to perform his/her duties.
Concerning this principle, Canada PIPEDA requires you to choose and outline the reasons why you are gathering a specific kind of data. The objective of this requirement is to ensure that you;
- Inform individual why you collect their information
- Adopt the required measures to avoid utilizing for different objectives
- Make consumers aware when you use the information collected for a different purpose such that you can seek fresh consent to use the data for a new purpose
If you are a data controller subject to Canada PIPEDA, you are obligated to seek implied or express consent, depending on the circumstances. The consent has to be meaningful. In some cases the implied consent is meaningful, and sometimes only the express consent is meaningful.
It is important to ensure that your data subjects are aware of what giving consent means and they do not feel coerced or duped into giving consent.
Additionally, you need to keep records of instances where you do not deem user consent unnecessary.
It is essential to review your data collection processes to differentiate between information that is absolutely necessary to collect from data that you do not need to collect.
This distinction is important because the fourth principle of Canada PIPEDA requires your business to only collect information that is strictly necessary, and consistent with the purposes for which your users consented.
Limiting Use, Disclosure, and Retention
To achieve compliance with Canada PIPEDA, you need to create policies and guidelines, which guarantee that you utilize consumer information for reasons that are in line with what your users consented to.
Similarly, you need to institute policies concerning the duration you intend to retain this data. Ideally, the duration should not exceed the time necessary period to execute the stated purposes of collection.
Conversely, if you employ this data to draw conclusions about a user, you are required to retain this information for a period considered enough to allow the user in question to review this information.
According to this principle, you are expected to ensure that all the personal information you collect is precise, complete, and updated as required for the stated purpose.
Compliance with Canada PIPEDA requirements in line with this principle is dependent on how you utilize the information you collect.
Ideally, you need to ensure the information you use to make inferences about users is updated to minimize the risk of making decisions about individuals using inaccurate data.
Considered one of the most crucial principles under Canada PIPEDA, you need to ensure that the information you collect is safe from unauthorized access, theft, copying, or modification.
It is important to note that the safety of user information is vital even when you are getting rid of records.
Primarily, the degree of protection should be equivalent to the level of sensitivity of the data you collect.
For this reason, your data protection measure can comprise physical access barriers such as passwords, corporate measures such as allowing access to specific members of staff, or technological approaches such as encryption.
Additionally, you need to include the name and contact data of the individual you appointed to facilitate compliance with PIPEDA.
Apart from this, you also need to provide information to users on how to access the data you have collected about them as well as how you share it.
In case a person submits a written request concerning their personal data, you must address this request with information concerning whether you have collected data about them, the type of data you have collected, how you utilized it, and the third parties that have had access to it.
Additionally, this PIPEDA principle requires you to allow users to determine whether the data you have about them is inaccurate or incomplete. In case they describe it as inaccurate or incomplete, you must allow them to correct or update it.
Essentially, you are required to give a full response within 30 days after the initial request.
The tenth Canada PIPEDA principle requires you to adopt measures to receive, review, and address complaints of non-compliance.
Typically, you are expected to examine the complaint and implement necessary measures in case you establish that the complaint is valid. In this context, you may need to modify your policies or processes.
The next step is to inform the complainant about the action taken as well as the steps they can take if they are not content with your response to the complaint.
Do you have any doubts whether PIPEDA applies to your organization?
Alternatively, book a call today and speak to a data protection expert.
Want to try
Get your free cookie banner up and running today!
The Ultimate Guide to GDPR Data Breach Responses
If you think that data breaches only happen to someone else, think again. Data breaches have happened to all types of businesses - from small ecommerce stores to large corporations such as Microsoft and it could happen to you as well. Read about GDPR Data Breach Responses here.
What Is a Data Protection Officer and Do You Need One?
When a business operator realizes they need to comply with the GDPR or any other data protection law, one of the first questions to pop up in their head is - Do I need a DPO? Learn all about DPOs here.
- Data Protection
How to implement an Online Data Protection Strategy
When a company operates online within the European Union, or when its website visitors come from the EU, the company must comply with the General Data Protection Regulation (GDPR). The GDPR was created to protect citizens' personal data and restrict abuses.
- Data Protection