Learn about the Personal Information Protection and Electronic Documents Act (PIPEDA), what type of data it covers, and how to comply with the act's new data breach notification rules, in Data Protection 101, our series on the fundamentals of information security.
The Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal privacy law for private-sector organizations in Canada.
The act originally went into law on April 13, 2000 to foster trust in electronic commerce but has expanded since to include industries like banking, broadcasting, and the health sector.
The purpose of the law – per legislation - is to “govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.”
Under PIPEDA, similar to the European Union's General Data Protection Regulation (GDPR) - individuals have the right to access personal information held by an organization, know who is responsible for collecting it, why it's being collected, and to challenge its accuracy. An important aspect of PIPEDA is the fact that it's designed to keep Canada's notification requirements consistent with the country's trading partners, namely the EU.
"PIPEDA is currently deemed to provide an essentially equivalent level of privacy protection to the EU, which allows for the free flow of personal information from the EU to Canadian organizations," a regulatory impact analysis statement published by the Canadian government in 2017 read.
The Act requires organizations to obtain an individual's consent – either express, implied or deemed - to collect, use, or disclose information beyond what's required to fulfill the explicitly specified, and legitimate purposes.
Any private enterprise in Canada that collects personal information during the course of commercial activity is subject to PIPEDA.
Canada's Office of the Privacy Commissioner has a helpful tool organizations can use to determine what organization to contact if they have a privacy issue. It also has a fact sheet on privacy legislation designed to assist enterprises as well.
According to the Office of the Privacy Commissioner of Canada PIPEDA may not necessarily apply to provincially-regulated organizations and activities that have adopted similar privacy legislation. Provinces like Quebec, British Columbia, Alberta – and to a lesser extent Ontario, New Brunswick, Nova Scotia, Newfoundland and Labrador, have similar legislation already on the books.
Alberta and British Columbia for example, have a similar rule, the Personal Information Protection Act (PIPA) that mirrors PIPEDA in some ways.
The Act still applies to interprovincial and international transactions by organizations that flow across borders, along with federally regulated organizations like banks, telecommunications and transportation companies. The Act, even in provinces with similar legislation on the books, does apply to personal information collected, used, or disclosed by federally regulated organizations -- federal works, undertakings or businesses (FWUBs) including:
Under PIPEDA personal information is any “information about an identifiable individual,” essentially any data obtained in the course of a commercial activity.
Under PIPEDA the following can be considered personal information:
As of November 1, 2018, organizations subject to PIPEDA that experience a data breach need to determine whether the access or loss of personal information can cause a "risk of significant harm" to individuals.
The new provisions were approved back in 2015 as part of S-4, the nation's Digital Privacy Act.
Under the new amendments, in order to comply with PIPEDA, organizations must:
Using a PIPEDA breach report form, organizations must inform individuals “as soon as feasible after [its] determined that a breach of security safeguards involving a real risk of significant harm has occurred.”
The OPC defines harm as "bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property." It assesses "risk of significant harm" cas being associated with the following:
PIPEDA defines a breach of security safeguards as “the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards that are referred to in clause 4.7 of Schedule 1 of PIPEDA, or from a failure to establish those safeguards.” For those interested in digging deeper, Clause 4.7 breaks these safeguards down further but on the whole its measures like passwords, encryption, and security that can prevent unauthorized access, disclosure, copying, use, or modification.
PIPEDA doesn't identify specific safeguards orgs can use but does stress that organizations need to ensure personal information is adequately protected. The penalty for failing to report a data breach - or separately, failing to keep or destroy data breach records - could result in a fine of up to $100,000.
In order to comply with PIPEDA's new rules, it's important for organizations to have data protection safeguards in place to detect and respond to potential security incidents and to ensure personal information in under their control.
Canada's Office of the Privacy Commissioner has a helpful tool organizations can use to determine what organization to contact if they have a privacy issue. It also has a fact sheet on privacy legislation designed to assist enterprises as well. The office also has a self-assessment tool to help medium and large organizations form good privacy governance and management.