PIPEDA Compliance Checklist
If your business is subject to Canada´s Personal Information Protection and Electronic Documents Act, a PIPEDA compliance checklist is a comprehensive reference to ensure the business is doing everything necessary to comply with the data privacy act. This article explains the PIPEDA requirements and who they apply to, and provides an example of a PIPEDA data privacy act compliance checklist businesses are invited to use to help them comply with the ten fair information principles of PIPEDA.
A Brief Introduction to PIPEDA
PIPEDA was enacted in 2000 with the objective of encouraging trust between consumers and businesses in e-commerce. The Act governs how covered businesses collect, use, and disclose personal information. It also gives individuals the right of access to information a business holds about them, and the right to challenge the accuracy and completeness of the information.
Since the enactment of PIPEDA, subsequent amendments have increased compliance obligations, and further changes have been proposed in the Digital Charter Implementation Act which is currently progressing through the House of Commons. If passed, Part 1 of PIPEDA will be replaced with the Consumer Privacy Protection Act, and Part 2 renamed as the Electronic Documents Act.
Despite the expected changes – which will result in a closer alignment with the EU´s General Data Protection Regulation (GDPR) – the concept and objectives of PIPEDA remain the same. Therefore, businesses that can complete a PIPEDA compliance checklist now will be in a strong position to transition from the requirements of PIPEDA Part 1 to those of the Consumer Privacy Protection Act.
What are the PIPEDA Requirements?
The PIPEDA requirements are based on the ten fair information principles of PIPEDA. The PIPEDA requirements can be found in Schedule 1 of the current version of the Act (page 48) and these principles form the ground rules for the collection, use and disclosure of personal information, as well as for providing access to personal information when individuals request it.
In addition to these principles, PIPEDA states that any collection, use or disclosure of personal information must only be for purposes that a reasonable person would consider appropriate in the circumstances. This requirement will change with the introduction of the Digital Charter Implementation Act when a reason for the collection, use, or disclosure of personal information has to be provided for an individual to give their informed consent.
With regards to the ten PIPEDA fair information principles, these are:
- Be Accountable
Under the first requirement of PIPEDA, businesses have to appoint someone to be responsible for PIPEDA compliance and develop and implement personal information policies and practices that protect personal information – including information sent to a third party for processing.
- Identify the Purpose
Businesses have to identify and document the purpose(s) for collecting personal information, advise customers why their personal information is being collected, and – if the purpose changes – contact customers to obtain their consent to use the information for the new purpose.
- Obtain Valid, Informed Consent
Informed consent is an essential element of the PIPEDA requirements; and, for informed consent to be valid, businesses must make sure customers know what they are consenting to. To be valid, customers must also have the option of withdrawing their consent.
- Limit Collection
Businesses must only collect the personal information required to fulfil a legitimate identified purpose. Furthermore, the information must be collected by fair and lawful means. Businesses that use deceitful means to collect personal information are in violation of PIPEDA.
- Limit Use, Disclosure, and Retention
Businesses are only allowed to use and disclose personal information for the purpose(s) it was collected. Once the personal information has been used or disclosed, it should be destroyed, erased, or anonymized within a reasonable period of time.
- Be Accurate
Businesses must minimize the possibility of using incorrect information when making a decision about an individual or when disclosing information to third parties, and should implement measures to verify the accuracy, completeness, and timeliness of personal information.
- Use Appropriate Safeguards
Businesses must implement appropriate safeguards to protect all personal information against loss, theft, or any unauthorized access, disclosure, copying, use, or modification. Note: PIPEDA does specify any particular safeguards to use due to the evolving nature of cybercrime.
- Be Open
Individuals should not be expected to decipher complex legal language in order to make informed decisions on whether or not to provide consent, so businesses are required to make policies and practices easy to understand and easily available.
- Give Individuals Access
Individuals have a right to access the personal information that a business holds about them, and businesses are required to inform customers how they can request access and challenge the accuracy of the information. Note access requests must be resolved within 30 days.
- Challenging Compliance
Customers have the right to challenge a business´s compliance with PIPEDA, and – to comply with this PIPEDA requirement – businesses must implement simple complaint handling and investigation procedures, plus inform complainants with their avenues of recourse.
Who Does PIPEDA Apply To?
Generally, PIPEDA applies to private sector businesses across Canada with the exception of those located in Quebec, British Columbia, and Alberta. This exception exists because these provinces have “substantially similar” privacy laws. However, private healthcare businesses in Ontario, New Brunswick, Newfoundland and Labrador, and Nova Scotia are also exempt from complying with PIPEDA due to these provinces having substantially similar health information protection laws.
Federally regulated organizations are also required to comply with PIPEDA. These organizations include airports, airlines, banks, transportation companies, offshore drilling operators, and radio and TV broadcasters. Importantly, the requirement to comply with PIPEDA applies even when data flows from a province in which PIPEDA applies to another in which substantially similar privacy laws exist (or vice versa). Consequently, some businesses could be subject to two sets of privacy laws.
With regards to international data flows, businesses are required to protect personal information that is “collected, used, or disclosed internationally”, but there is no requirement on businesses located outside Canada to apply the same protections when collecting, using, or disclosing the personal information of Canadian citizens – either within or outside Canadian borders. There is no indication this will change in the forthcoming Digital Charter Implementation Act.
Example PIPEDA Compliance Checklist
The following example PIPEDA compliance checklist covers the basic requirements of PIPEDA and the ten fair information principles. However, it is only an example and therefore does not guarantee compliance with PIPEDA. It is important to be aware there is no one-size-fits-all PIPEDA data privacy act compliance checklist as businesses must develop policies and procedures applicable to the nature of their operations and the sensitivity of the information collected, used, and disclosed.
- Designate a privacy officer
- Conduct an audit to determine the answers to the following questions:
- What personal information is collected?
- Why is it collected?
- How is it collected?
- What is it used for?
- Where is it kept?
- How is it secured?
- Who has access to it?
- Who is it shared with?
- When is it disposed of?
- Conduct a privacy impact assessment and threat analysis.
- Develop a privacy management program.
- Develop, document, and implement policies to protect personal information from unauthorized use, disclosure, or modification.
- Develop, document, and implement policies to define the purposes of collection.
- Develop, document, and implement policies to obtain valid and meaningful consent.
- Develop, document, and implement policies to limit the collection, use, and disclosure of personal information.
- Develop, document, and implement policies to ensure information is correct, complete, and current.
- Ensure security measures are adequate to protect information.
- Define a retention and destruction timetable.
- Develop, document, and implement policies to respond to complaints, inquiries, and requests to access personal information.
- Develop, document, and implement policies to report breaches of personal information and notify those affected.
- Define best practices to be implemented by third-party service-providers with whom personal information is shared.
- Deliver appropriate privacy training for employees.
Breach Notifications, Customer Complaints, and OPC Audits
It is important to be aware PIPEDA Includes mandatory breach reporting requirements. Businesses must inform the Office of the Privacy Commissioner (OPC) of any security breaches that pose a real risk of significant harm to an individual. The affected individual(s) and relevant third parties must also be notified, and a record kept of each breach regardless of whether harm has occurred.
Customers and employees can file a complaint to the Office of the Privacy Commission if they believe a business has failed to comply with the PIPEDA requirements – even if no harm has resulted from the non-compliance. PIPEDA contains a whistleblower provision that makes it illegal for a business to retaliate against a customer or employee who has filed a complaint with the OPC.
PIPEDA also gives the Office of the Privacy Commissioner the authority to audit a business´s privacy practices when the OPC has reasonable grounds to believe the business is not complying with the PIPEDA requirements. If a business is found to have knowingly failed to comply with PIPEDA, the business can be fined up to CAD$100,000 for each violation identified by the OPC.
PIPEDA Compliance Checklist FAQs
What does PIPEDA stand for?
PIPEDA stands for the Personal Information Protection and Electronic Documents Act – a data privacy protection law that applies to private businesses across Canada except in jurisdictions in which substantially similar privacy laws exist.
What is the purpose of PIPEDA?
PIPEDA establishes the rules for how businesses in the private sector collect, use, and disclose personal information. It also places obligations on businesses to ensure the integrity of personal information when it is shared with a third party either inside or outside Canada.
What does PIPEDA protect?
PIPEDA protects the person information and rights of individuals by stipulating businesses have to explain why they are collecting personal information and what it is being used for. Individuals have the right to inspect and correct what information about them is maintained by businesses.
Why is PIPEDA important?
Other than protecting the personal information and rights of individuals, PEPIDA is important because it meets the adequacy standards of GDPR. This means data can be exchanged between Canadian businesses and the EU without encumbrances of Standard Contractual Clauses.
What is personal information under PIPEDA?
Under PIPEDA, personal information includes any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form (i.e., paper or electronic, text or image, etc.) such as:
Age, name, ID numbers, income, ethnic origin, or blood type
Opinions, evaluations, comments, social status, or disciplinary actions
Employee files, credit card numbers, loan records, or medical records
Who enforces PIPEDA?
PIPEDA is enforced by the Office of the Privacy Commissioner of Canada through investigations, responses to customer and employee complaints, and an audit program. Complainant can also apply for complaints to be heard in a federal court if they want to pursue damages against the business.
What is a PIPEDA violation?
A PIPEDA violation is any violation of Division 1 of the Act (Protection of Personal Information), any violation of Division 1.12 of the Act (Breaches of Security Safeguards – which includes the breach notification rule), or the failure to comply with the ten PIPEDA fair information principles.
What is considered a breach of PIPEDA?
The terms “breach” and “violation” are often used interchangeably in PIPEDA law; however, breaches of PIPEDA are more commonly interpreted as breaches of security standards which result in – or have the potential to result in – significant harm to an individual or to individuals.
What is PIPEDA compliance?
PIPEDA compliance means implementing the policies and procedures necessary for the compliant collection, use, or disclosure of personal information during commercial activities, using appropriate safeguards to protect personal information from loss, theft, and unauthorized disclosure, and empowering individuals to access data maintained about them and challenge its accuracy when necessary.
What is the PIPEDA data breach notification rule?
The PIPEDA breach notification rule was added to the Act in 2015. Under the PIPEDA data breach notification rule, businesses are required to notify the Office of the Privacy Commission of any breach of security safeguards involving personal information under its control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual.
The PIPEDA breach notification rule also requires businesses to notify affected individuals in a manner which makes clear the risk of harm and the steps they should take to mitigate the risk. Businesses also have to notify third-party organizations (i.e., banks, government departments, etc.) if it is believed the third-party organization can take steps to mitigate the risk of harm.