Personal Information Protection & Electronic Documents Act (PIPEDA)

The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian law for protecting the privacy of citizens. PIPEDA governs how private sector & federal organizations in Canada during commercial activity; collect, use, and disclose personal information (PI) in a way that upholds and recognizes the individual's right to privacy. The Act necessitates organizations to seek the individual's consent for collecting, using, or disclosing information beyond its explicitly defined and justified purpose. It empowers individuals with the right to access their personal information collected by an organization, know who is responsible for collecting the data and the reasons, and have the right to challenge the accuracy of data.

PIPEDA originally was implemented on April 13, 2000, to develop trust in electronic commerce; however, later came into full force in 2004. However, it later expanded to include industries such as healthcare, airlines, broadcasting, telecommunications, transportation, and banking. A key aspect of PIPEDA is the fact it is designed to maintain Canada's notification requirements consistent with the European Union, a trading partner of Canada. Further, as per section 29 of PIPEDA, Part I of the Act i.e. "Protection of Personal Information in the Private Sector" must be reviewed by Parliament every 5 years.

Laws Similar to PIPEDA in Canada

Provincial Privacy laws similar to PIPEDA in Canada are:

• Quebec – An Act Respecting the Protection of PI in the Private Sector
• Alberta – Personal Information Protection Act ("PIPA")
• British Columbia – Personal Information Protection Act ("PIPA")

Organizations in Canada complying with similar provincial privacy laws are exempt from compliance to PIPEDA in terms of the collection, use, or disclosure of personal information that occurs within that province.

What is the Key Purpose of PIPEDA?

The main objective of PIPEDA is to ensure that personal information is collected, stored, and shared in ways that respect the fundamental right to privacy. Since several organizations use personal information to connect with their customers and help provide better services, it is important to ensure that personal information is kept private and confidential.

Read Complete Infographic

Close Infographic

Who Must Comply with PIPEDA?

PIPEDA applies to organizations that fall into the Federal Work, Undertakings, and Businesses (FWUB) category. As per the Office of the Privacy Commissioner of Canada, FWUBs include:

• Banks
• Radio and television stations
• Inter-provincial trucking
• Airports and airlines
• Navigation and shipping by water
• Telecommunication companies such as internet service providers, phone (cellular or landline companies), cable companies
• Railways, canals, pipelines, ferries, etc. that cross borders

Organizations that are not an FWUB but deal in commercial activities that involve the flow of personal information or operate in a province that doesn't have a similar privacy law also fall in the ambit of PIPEDA.

What is the Territorial Reach of PIPEDA?

PIPEDA is a federal law that applies to personal information held by private businesses in:

What Is 'Personal Information (PI)' Under PIPEDA?

According to PIPEDA, personal information (PI) is information about an identifiable individual, which comprises any factual or subjective information. Personal information can the following:

• Name, age, ID number's including driver's license, social insurance, passport
• Race, national or ethnic origin, religion
• Relationship or marital status
• Medical, education, or employment history
• Financial information
• DNA
• Information, Evaluation, Comments, or opinions about the individual as an employee.

What are the Guiding Principles of PIPEDA?

The PIPEDA has provided businesses with guiding principles to protect personal information and strengthen trust in the digital world. The key principles of PIPEDA to help organizations attain PIPEDA compliance include:

a) Accountability: Every organization is responsible for personal information under its control. It must assign a designated Privacy Officer to ensure the organization's compliance with PIPEDA.

b) Identifying Purposes: The Organization needs to identify the purposes for which personal data is being collected before or at the time of collection.

c) Consent: An individuals' consent is required for the collection, usage or disclosure of personal information. There may be a few exemptions that apply to this principle like in situations regarding legal, medical or security reasons that make seeking consent impractical or impossible.

d) Limiting Collection: Information should be collected as per the purpose identified by the organization and should be collected by fair and lawful means.

e) Limiting Use, Disclosure, and Retention: Personal information must be retained only as long as required for the purpose identified. Unless the individual provides his consent otherwise or if it is required by law, the information can only be used or disclosed for the specific purposes for which it was collected.

f) Accuracy: Personal information must be as complete, precise, and as updated as possible to properly satisfy the purposes for which it is collected.

g) Safeguards: Personal information must be protected against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification with the help of appropriate security measures.

h) Openness: Organizations must provide comprehensive information about their policies and practices regarding the management of personal data.

i) Individual Access: Upon request, an individual must be provided information on the existence, use, and disclosure of their personal information. They shall also be provided access to that information. An individual shall also be able to challenge the correctness and completeness of the information and have it changed as appropriate.

j) Challenging Compliance: An individual can challenge the organization's compliance based on PIPEDA's principles and convey their challenge to the Privacy Officer in charge of the company's PIPEDA compliance.

PIPEDA: Fines and Penalties

There is a fine of up to $100,000 per violation that may be levied on organizations that may knowingly violate PIPEDA guidelines for proactive data security safeguards, data breach reporting, and keeping data breach records.

Criminal Offences under PIPEDA

The main purpose of the PIPEDA is to create a good-faith agreement to protect personal information. Most cases of PIPEDA complaints are resolved effectively with positive results for both the business as well as the complainant. However, the PIPEDA has clearly stated three instances that may result in a criminal offense and may lead to criminal prosecutions:

a) Purposefully destroying data or information after receiving a request to review it

b) Retaliatory behavior against those employees who tried to follow the PIPEDA

c) Hampering the investigation after a complaint has been lodged

Data Erasure – Technology to Help Attain PIPEDA Compliance

Data erasure can facilitate the 'retention' and 'safeguard' aspects of personal information to attain compliance with PIPEDA. Data erasure technology is based on overwriting the existing data with binary patterns in order to secure it from the breach. It can serve as a failsafe method for permanent removal of personal information after the specified retention period is over to ensure compliance with PIPEDA guidelines. Further, the erasure of sensitive data secures it from theft, unauthorized access, disclosure, copying, use, or modification, thus fulfilling the Safeguards principle for personal data in line with PIPEDA.

BitRaser, a professional data erasure software, can permanently remove (erase) data as per international standards thus guiding its safety from breach or unauthorized use. The tool also generates tamperproof reports and certificates of erasure to prove compliance with data privacy norms of PIPEDA.