The Personal Information Protection and Electronic Documents Act (PIPEDA)
What Is PIPEDA?
The Personal Information Protection and Electronic Documents Act or PIPEDA is one of Canada’s primary data privacy laws. It protects personal information that is collected, used, or disclosed by organizations.
PIPEDA protects privacy rights by requiring that organizations inform users of their online data handling practices and obtain consent to collect, use, and disclose personal information. The law is enforced by Canada’s Officer of the Privacy Commissioner (OPC).
PIPEDA was written to closely replicate Europe’s GDPR (General Data Protection Regulation). Because it provides equivalent data protection, PIPEDA allows for the efficient dissemination of data between Canada to the EU.
PIPEDA applies to public, private, and government organizations as well as federally-regulated organizations (e.g., banks, airlines, airports), telecommunications companies, and interprovincial and international transportation companies. Exempted organizations include not-for-profit organizations, political parties, educational institutions, and hospitals—as long as they do not engage in commercial activities.
Organizations in Quebec, British Columbia, and Alberta are also exempt from PIPEDA, since they are subject to provincial privacy laws comparable to PIPEDA. However, Canadian organizations that transfer data across provincial and national borders are subject to PIPEDA, regardless of where they operate or their province’s privacy laws.
For regional activities, PIPEDA is applicable in:
- New Brunswick
- Newfoundland and Labrador
- Northwest Territories
- Nova Scotia
- Prince Edward Island
Ten Fair Information Principles for PIPEDA
- 1. Accountability
An organization is responsible for personal information under its control and is required to appoint a Privacy Officer whose purpose is to ensure compliance with PIPEDA.
- 2. Identifying Purposes
Organizations must identify the purposes for which personal data is being collected before or at the time of collection.
- 3. Consent
Where appropriate, organizations must obtain consent for the collection, use, or disclosure of personal information, with exceptions for when obtaining consent is impossible or impractical.
- 4. Limiting Collection
Organizations may only collect the amount necessary for an identified purpose, and it must be collected by fair and lawful means.
- 5. Limiting Use, Disclosure, and Retention
Organizations may only use or share personal information for the purposes for which it was collected, and it may only be retained for the time needed for the identified purpose.
- 6. Accuracy
Personal information must be accurate, complete, and current.
- 7. Safeguards
Appropriate security measures must be implemented and maintained to protect personal information from loss, theft, unauthorized access, disclosure, copying, or modification.
- 8. Openness
Personal information policies and practices must be open and accessible in understandable language.
- 9. Individual Access
Individuals have the right to access and correct their personal information as well as to be informed of the existence, use, and disclosure of their personal information.
- 10. Challenging Compliance
An individual can challenge an organization’s compliance with PIPEDA by making a complaint.
What Is Not Covered by PIPEDA?
PIPEDA is a far-reaching regulation, but it contains a number of exceptions where personal information can be collected, used, and disclosed by organizations without an individual’s consent. Following is a sampling of what is not covered by PIPEDA.
Organizations’ collection of personal information is not covered by PIPEDA when the information collected is:
- Clearly, in the interest of the individual and consent cannot be obtained in a timely way—e.g., in an emergency healthcare situation
- Reasonable for purposes related to investigating a breach of an agreement or a transgression of the laws of Canada
- Used for statistical or research purposes that cannot be achieved without using the information, and it is anonymized
- Publicly available
Organizations’ disclosure of personal information is not covered by PIPEDA when the disclosure is:
- Part of a data breach notification
- Made for the purpose of collecting a debt owed by the individual to an organization
- Required to comply with a subpoena or warrant issued or an order made by a court, person, or body with jurisdiction to compel the production of information or to comply with rules of court relating to the production of records
- Responding to a lawful request by a government institution or part of a government institution for follow up (e.g., for national security interest, law enforcement effort, communicating with the next of kin or authorized representative on behalf of an incapacitated or deceased individual, proceeds from money laundering, Terrorist Financing Act)
- Made to an institution whose functions include the conservation of records of historical or archival importance, and the disclosure is made for such conservation
- Made after the earlier of:
- One hundred years after the record containing the information was created
- Twenty years after the death of the individual the information is about
Collection, Use, and Disclosure
Organizations’ collection, use, and disclosure of personal information are not covered by PIPEDA when it is used for:
- Journalistic, artistic, or literary purposes only
- Communicating with the individual concerning their employment, business, or profession
- Situations when organizations have entered into an agreement that requires the organization to receive the personal information
- A business transaction of which the primary purpose or result is the purchase, sale, or other acquisition or disposition, or lease, of personal information
- Establishment, management, or termination of an employment relationship
In the case of individuals, what is not covered by PIPEDA is personal information that the individual collects, uses, or discloses for personal or domestic purposes and does not collect, use, or disclose for any other purpose.
Business Responsibilities Under PIPEDA
PIPEDA holds businesses responsible for obtaining express consent prior to collecting consumer information, as well as for implementing and maintaining security systems to ensure the ongoing protection of that information.
Consent Requirements under PIPEDA
The consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use, or disclosure of the personal information to which they are consenting.Definition of valid consent according to PIPEDA (Section 6.1)
PIPEDA recognizes two forms of consent:
- Express consent—the individual actively agrees to something (e.g., checks a box labeled “I agree”)
- Implied consent—the individual is offered the opportunity to refuse something, and they do not refuse (e.g., does not uncheck a pre-checked box labeled “I agree”)
According to the OPC, express consent must be obtained when:
- Personal information is sensitive—although PIPEDA does not include a list of sensitive information, in most contexts, it includes financial, health, or personally identifiable information.
- The intended use of the personal information might fall outside of individuals’ reasonable expectations, such as sharing information for marketing purposes, accessing contact lists, or tracking location.
- When there is a “meaningful residual risk of significant harm.”
For situations outside of those noted above, implied consent is sufficient.
PIPEDA Data Security Requirements
Business responsibilities under PIPEDA also require implementing and maintaining data breach security safeguards, including:
- Access controls
- Audit and accountability
- Configuration management
- Data and document management
- Data loss prevention
- Device identification
- Incident detection
- Incident response plan, including remediation and analysis
- Information system monitoring
- Remote access controls
- Risk assessment and prioritization
- System and information integrity
- Usage monitoring
- User identification and authentication
- Virtual private networks (VPNs)
PIPEDA and Data Breaches
Organizations are required to report any breach of security safeguards that involves personal information under its control to the Office of the Privacy Commissioner (OPC) of Canada, if there is reason to believe that the breach creates a risk of significant harm to an individual whose information was compromised.
In the following cases, individuals should be notified.
Significant Harm According to PIPEDA
- Bodily harm
- Business or professional opportunities impacted
- Damage to or loss of property
- Damage to reputation or relationships
- Financial loss
- Identity theft
- Loss of employment
- Negative effects on a credit record
PIPEDA Data Breach OPC Report Requirements
- Contains the relevant information about the breach
- Provided as soon as feasible after the breach has occurred
- Filed if a breach has a real risk of significant individual harm based on the:
- Sensitivity of the personal information involved in the breach
- Probability that the personal information has been, is being, or will be misused
PIPEDA Data Breach Requirements for Individual Notifications
Unless otherwise prohibited by law, an organization shall notify an individual of any breach of security safeguards involving personal information. Notifications should:
- Inform the individual about the significance of the breach to enable them to take steps, if any are possible, to reduce the risk of harm that could result from it
- Be given directly to the individual
- Be delivered as soon as feasible after the organization determines that the breach has occurred
PIPEDA: Strong Privacy Legislation on Par with GDPR
PIPEDA brought strong privacy laws to parts of Canada that lagged in passing legislation that protected individuals’ rights. With PIPEDA, Canada’s privacy laws are on par with GDPR, making them some of the strongest in the world. This is good for citizens as well as organizations that engage in cross-border data transfers as part of their work.
Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 16,000 customers with millions of customers worldwide.
Last Updated: 23rd December, 2021