Links überspringen
pipeda
Veröffentlicht in: Artikel

Everything You Need to Know About PIPEDA

Autor
Veröffentlicht am:

The Personal Information and Electronic Documents Act (PIPEDA) is a federal law that governs how corporate entities collect, use and disclose personal information while carrying out business activities in Canada. PIPEDA received Royal Assent on 13 April 2000 and fully came into force on 1 January 2004. It also covers personal information of employees in federally regulated businesses such as transportation and infrastructure, telecommunications and broadcasting, banking and financial services and offshore drilling operations.

Inhaltsübersicht

PIPEDA established the Office of the Privacy Commissioner of Canada (OPC) to enforce the law and investigate privacy breach complaints.

Scope of PIPEDA

PIPEDA applies to all private-sector organisations that collect, use or disclose personal information. This also includes non-profit organisations and charities, except those in Quebec, Alberta and British Columbia.

It also applies to federally regulated organisations, inter-provincial providers of goods and services and government agencies. It is important to note that PIPEDA applies only to the commercial activities and not to government organisations that carry out public functions, for example, law enforcement or national security.

Types of Data covered by PIPEDA

According to PIPEDA, personal information encompasses a broad range of data including both factual information (name, address, phone number, email address, age, ethnic origin or blood type) and subjective information (opinions, preferences, evaluations, social status or disciplinary actions). This also includes employees’ files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant and intentions.

These types of data are covered under PIPEDA irrespective of whether it is recorded (written or electronically stored) or not (such as verbal communications or unrecorded notes).

PIPEDA, on the other hand, does not cover the following:

  • Personal information that is handled by the federal government organisations that are listed under the Privacy Act.
  • Provincial or territorial governments and their agents
  • Business contact information such as an employee’s name, title, business address, telephone number or email addresses that is collected, used or disclosed to communicate with that person about their employment or profession
  • An individual’s collection, use or disclosure of personal information that is strictly for personal purposes (such as personal greeting card list)
  • An organisation’s collection, use or disclosure of personal information that is for journalists, artistic or literary purposes

It is important to note that PIPEDA does not apply to not-for-profit and charity groups, political parties and associations. Although municipalities, universities, schools and hospitals are governed by provincial laws, these institutions can be subject to PIPEDA only if they engage in a non-core commercial activity such as a university selling its list of top ranking students or a hospital operating a parking garage. However, if a third party is operating a business in any of the institution’s premises (such as a coffee shop in a hospital or book centre in a university), then it will not be subject to PIPEDA.

Core Requirements of PIPEDA

Companies are required to follow the Ten Fair Information Principles outlined in PIPEDA to protect personal information.

pipeda ten principles
  1. Accountability: Organizations are responsible for personal information under their control and must appoint someone to be accountable for ensuring compliance with these principles.
  2. Identifying Purposes: Organizations must identify the purposes for which personal information is being collected before or at the time of collection.
  3. Consent: The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
  4. Limiting Collection: The collection of personal information must be limited to that which is necessary for the purposes identified by the organization. Information must be collected by fair and lawful means.
  5. Limiting Use, Disclosure, and Retention: Personal information can only be used or disclosed for the purposes for which it was collected, unless the individual consents otherwise or it is required by law. Personal information must only be kept as long as required to serve those purposes.
  6. Accuracy: Personal information must be as accurate, complete, and up-to-date as possible to properly satisfy the purposes for which it is to be used.
  7. Safeguards: Personal information must be protected by appropriate security relative to the sensitivity of the information.
  8. Openness: An organization must make detailed information about its policies and practices relating to the management of personal information publicly and readily available.
  9. Individual Access: Upon request, an individual must be informed of the existence, use, and disclosure of their personal information and be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
  10. Challenging Compliance: An individual shall be able to challenge an organization’s compliance with the above principles. Their challenge should be addressed to the person accountable for the organization’s compliance with PIPEDA

PIPEDA Enforcement and Compliance

A complaint can be initiated by an individual or the Commissioner. Once a complaint by an individual is received, the OPC determines whether the complaint is covered by PIPEDA. If it is, then OPC will determine if the issue can be addressed immediately. In such cases, the issue will be handled by an Early Resolution Officer. This will only occur if the OPC has made findings on the issue; the organisation has addressed the allegations satisfactory to the OPC; or the allegations can be easily resolved.

However, if the OPC finds that the complaint cannot be addressed immediately, then it will be formally investigated. These types of complaints are serious, systemic or complex. During the investigation, the OPC will determine whether the individuals’ rights have been violated under PIPDEA. The investigator (either the Privacy Commissioner or a delegate) has the authority to receive evidence, enter premises (if necessary) and examine or obtain copies of records found on any premises. Afterwards, the investigator will analyse the facts and provide recommendations to the Privacy Commissioner. The issue can be settled either through a mutually satisfactory solution for all parties that are involved or, if the OPC finds a violation of PIPEDA, it will recommend the organisation to remedy the issue and set a deadline for compliance.

If OPC has provided recommendations to an organization and found that they have not been implemented, then the organisation will be asked to set a new compliance deadline, and OPC will assess whether corrective action has been taken. If not, the Privacy Commissioner can apply to the Federal Court for a hearing, and the Federal Court has the power to order the organisation to correct its data practices. Damages, including damages for humiliation, can be awarded to the complainant. From a company’s perspective, this can be concerning because there is no limit on the amount of damages that can be awarded.

Organizations that fail to comply can also face significant consequences such as penalties and fines of up to CAD$100,000 or legal action for violating PIPEDA.

Two high-profile cases include the settlement of $2.25 million in Haikola v The Personal Insurance Company, 2019 ONSC 5982 and the $725m Meta data breach scandal linked to Cambridge Analytica.

Third-Party Requirements Under PIPEDA

The organization is responsible for sharing personal information

According to PIPEDA, an organisation is responsible for its customers’ personal information, including information that has been shared with a third party for Verarbeitung. If an organization transfers personal information to a third party, within or outside of Canada, it has to ensure that the data is protected as required by PIPDEA. This can be done by incorporating protection clauses in contracts with third-parties that address the cybersecurity policies and required measures for preventing and handling data breaches.

Provide precise details of third parties that have access to personal information

When an organization is asked to provide information on the third parties that have access to an individual’s personal information, the organization has to be precise. In situations where the organization cannot confirm the third parties who have received the personal information, it must provide a general list of organizations that could have received the personal information.

Although PIPEDA gives individuals the right to access their personal information from an organisation and a third party, there are situations where this right is limited. An organisation cannot provide personal information if it would reveal the personal information of a third party. However, if the third party’s information can be removed, then the organisation may redact or exclude it before granting access to the individual. This exception does not apply if the third party consents to the disclosure or if the individual needs access to the information because their life, health or security is threatened.

A key point to remember is that an organization can provide sensitive medical information to the medical practitioner instead of giving it directly to the individual.

Constantly update personal information

The organisation and third parties have to regularly update personal information that is used continuously to ensure that the information is accurate.

Important tips!

Have a compliance management program and regularly update the policies to ensure compliance with PIPEDA and any amendments.

Also, conduct vendor due diligence before engaging with third-party contractors and ensure that their protocols adhere to PIPEDA. The last thing you need is to be tied in a dispute because a third-party contractor was non-compliant with PIPEDA.

Monica Aguilar Bild
Monica Aguilar
+ Pfosten

Monica ist Juristin und Wirtschaftsexpertin mit einem breit gefächerten Hintergrund in den Bereichen Recht, Medien und Unternehmensführung. Ihre Karriere begann im Journalismus, wo sie als Radiomoderatorin, TV- und Print-Wirtschaftsjournalistin und Fernsehproduzentin tätig war, bevor sie ins Wirtschaftsrecht wechselte. Als Barrister und Solicitor in Fidschi beriet sie in den Bereichen Unternehmensführung, Auslandsinvestitionen, Fusionen und Übernahmen, Vertragsrecht und Einhaltung von Vorschriften.