PIPEDA and You: Privacy Law in Canada

According to a report released outlining Canadian digital growth and industry trends, more than 80 percent of Canadians made at least one online transaction during the year prior to the study’s release (2018). Trends indicate that online platforms for clothing, travel, and household items will increase in number and traffic.

In addition to eCommerce, trends like remote work, online gaming, and content streaming mean that more Canadians will be using the internet for work and recreation. This highlights the increasing reliance on eCommerce and need for tighter regulations regarding data collection, storage, and use.

As far back as 1996, the Canadian government realised the need for data protection laws and responded by creating a set of guiding principles, the Model Care for the Protection of Personal Information, by which online enterprises should live and conduct business.

These principles were formalised and set into law in 2000 with the creation of the Personal Information Protection and Electronic Documents Act (PIPEDA), which was updated again in 2015 and set a final date of 1 November, 2018, for compliance. Another update was introduced and implemented in January, 2018 and May of 2019.

PIPEDA has been approved by the EU’s commission of digital regulation, and in fact predates the final version of the GDPR by about six months. In addition to standards like current website accessibility guidelines and other privacy laws, PIPEDA is designed to ensure that the internet is a safe and accessible platform for all who need or want to use it.

The Personal Information Protection and Electronic Documents Act covers any private sector business or organisation that collects and/or uses personal information in the course of conducting business.

For the purposes of these regulations, such organisations are defined as any enterprise whose main purpose is commercial, including selling, leasing, bartering with the public, organisations that engage in membership-related enterprise, and those that raise and collect funds.

This also applies to donor lists and amounts, unless this information is required by law. The PIPEDA regulations are meant to cover all Canadian provinces, though many have their own, similar regulations regarding data collection and protection in place.

Those provinces are Alberta, British Columbia, and Quebec; Labrador, New Brunswick, Newfoundland, Nova Scotia, and Ontario have created regulations pertaining to collecting, using, and storing health-related data.

PIPEDA also covers information that’s transmitted across Canadian borders and federally regulated organizations like:

☑️ Airports, airlines, and air transportation
☑️ Local banks and authorized foreign financial institutions
☑️ Inter-provincial or international transportation companies
☑️ Telecommunication companies
☑️ Radio and TV broadcasters
☑️ Offshore drilling operations

Who Isn’t Bound by PIPEDA?

The goal of PIPEDA is to provide broad protection and a unifying set of guidelines for data collection. But, not everyone is bound by these regulations.

These organizations and circumstances aren’t regulated by PIPEDA:

☑️ Information collected by government agencies and covered under the Privacy Act
☑️ Provincial or territorial governments and agents
☑️ Business contact information collected, stored, and/or used for employment or professional purposes
☑️ Information collected by individuals for personal use, such as greeting card lists
☑️ Information collected, used, and/or stored by organizations for artistic, journalistic, and literary purposes
☑️ Non-profit organizations, if not engaged in commercial activities
☑️ Political parties and organizations, for use during non-commercial activities

Most schools, municipalities, and public medical facilities are governed by the laws and regulations in their province, although PIPEDA may apply in some cases.

Defining Personal Information

Now that you have a basic understanding about who PIPEDA covers, you might wonder what it covers. The government defines personal information as anything that can identify you, your location, and employment status, including:

• Names, addresses, age, account or ID numbers, income, blood type, or ethnic origin
• Opinions, survey answers, comments, social or marital status, and mention of disciplinary actions
• Employment, health, military, credit, and financial records
• Evidence of disputes between a consumer and merchant

The scope of PIPEDA doesn’t define its reach beyond Canadian borders, but the Federal Court in Canada has decreed that organisations outside of Canada must meet compliance if their activities and interests are intertwined with Canadian interests.

Not only will following PIPEDA guidelines ensure that you remain in compliance, updates to this regulation are meant to keep it in line with data collection/storage.protection laws in other countries. This will enable us to continue to expand financial opportunities overseas and protect our own information – and that of Canadian citizens – in the process.

If you’re unsure of or unfamiliar with PIPEDA guidelines, here are the 10 guiding principles on which it is based and the rationale for each. These principles of fair information use are detailed further in the text of Schedule 1 of the PIPEDA regulation.

1. Accountability

Because you’re responsible for the personal information you collect and control, you must appoint a qualified Privacy Officer for the sole purpose of ensuring PIPEDA compliance.

2. Identifying Purposes

You must disclose what data you’ll be collecting and why you need it before or at the time of data collection.

3. Informed Consent

You must inform individuals and gain their consent for any collection, use, or disclosure of their personal information. Exemptions apply to cases where there are legal, medical, or security reasons that make such informed consent impossible or impractical.

4. Limiting Collection

Any personal information gathered must be collected by fair and lawful means, and it must be limited to only that information that’s necessary the purpose legal purposes identified by the organization.

5. Limiting Disclosure, Retention, and Use

Personal information can only be used or disclosed for the stated purpose of collection. Any information you collect can only be retained for the length of time outlined to fulfill those purposes, and you must obtain further consent from the individual if those conditions change or it is required by law.

6. Data Accuracy

Any personal or sensitive data must be as accurate, complete, and up-to-date as possible to fulfill its intended purpose.

7. Data Safeguards

You’re responsible for protecting personal information by appropriate security standards against loss, theft, copying, modification, disclosure, unauthorized access, or use.

8. Openness and Transparency

You’re required to be fully transparent about your data collection/retention. storage policies and practices. These policies and procedures must be readily available, accessible, and understandable to individuals and governing agencies.

9. Individual Access

Any individual requesting information about personal data and data management/protection must be informed about the existence, use, and disclosure of their information and be provided full access to such data. They also have the right to challenge the accuracy and completeness and request that their data be amended.

Your right to deny such requests is limited to commercial proprietary, legal, or security reasons, including those covered under litigation privilege or solicitor-client relations.

10. Challenging Compliance

Individuals have the right to challenge an organization’s compliance with PIPEDA’s principles and direct that challenge to the organisation’s PO in charge of PIPEDA compliance.

For each of the principles, there’s a way that you can ensure that you’re in compliance and avoid scrutiny or punishment by the Office of the Privacy Commissioner. Here are 10 easy tips that are designed to keep you out of trouble.

1. Make sure your privacy policy is visible on your website to visitors and your organisation’s privacy officer (PO).
2. Inform and train staff members regarding your privacy protocols, and make sure that they have contact information for your PO.
3. Remember that the buck stops with you. You’re responsible for compliance and making sure that all staff members are properly trained and have the tools they need.
4. Refine your data collection requirements and procedures. If you’re collecting personal information on anyone, including staff and customers, collect only what you need and make sure it’s stored in a secure environment.
5. Make using an SIN optional. Unless there’s a legal reason for doing so, don’t require customers to disclose their SIN when filling in forms on your website.
6. Don’t make copies of personal or government IDs. There are times when you might need to verify someone’s identity or residency. Your staff can look at the driver’s license or other government ID, but they don’t need to make or keep a copy.
7. Inform customers when they’re being videotaped or recorded. If you use video surveillance equipment on your property or record incoming calls, post signs and inform callers of this fact, and try not to keep copies unless they’re necessary for your business use.
8. Protect all personal information. Collecting information is unavoidable, especially in the healthcare or financial industries. If you do need such data, collect only what you need, inform customers of what data you’re collecting and why, and keep it secure through secure storage and by installing a VPN on all devices and networks. But keep in mind that free VPNs might not be as reliable and secure.
9. Respond promptly to requests for access. You have a duty to comply with all data collection protocols, and a responsibility to respond to any requests from customer or job applicants for their information. When receiving a lawful request, respond swiftly and fully.
10. Be transparent. As soon as you have your privacy policy in place, make sure to be fully transparent about your data collection needs, uses, and any security measures in place for data protection.

If you’re concerned about your status, you’re free to contact the PO assigned to your organisation or industry. One of the newer requirements under the updated regulation is the introduction of mandatory data breach notifications.

Beginning on November 1st 2018, organizations that are subject to PIPEDA regulations are legally obligated to notify the Privacy Commissioner of Canada as soon as they become aware of any breaches of security safeguards that involve personal information that poses real risk of causing significant harm to employees, consumers, and other individuals.

By law, these companies and organisations also have to inform any and all individuals affected by such breaches. They must also retain records of all such breaches for a period of at least two years, even if such breaches were already reported to Canada’s Privacy Commissioner.

It’s in your best interest to develop a working process for evaluating risk of significant harm as it pertains to your organisation and the legal definition of significant harm. The Privacy Commissioner of Canada recommends that you take into consideration the sensitivity of the personal information involved and the likelihood that such information will be misused if exposed or accessed by an unauthorized individual or group.

Such risk can be calculated by asking the right questions regarding the nature of the breach, such as intent, and whether it was protected using current protocols, standards, and best practices for data protection. If you knowingly and intentionally disregard the new PIPEDA requirements for data breach notifications and record retention, you’re subject to fines of up to CAD$100,000.

In an increasingly global economy, maintaining compliance with all of the pertinent regulations is essential. Canada has long been a leader when it comes to protecting the privacy of its citizens and business leaders.

Improvements to our privacy laws will serve the purpose of informing Canadians of their rights when it comes to digital transactions and ensure that we’ll continue to expand our international business interests.

If you’re a website owner concerned about your PIPEDA compliance, there are a number of guides and publications from the government available to help you gauge your level of preparedness and get up to speed.