Overview of Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA)

2. Who Needs to Comply with the PIPEDA

PIPEDA applies to private-sector organizations engaged in commercial activities. Organizations that are subject to provincial privacy laws are generally exempt from the application of the PIPEDA.

2.1 Personal Scope

PIPEDA does not explicitly refer to the nationality or place of residence of individuals. Instead, PIPEDA applies to all organizations in Canada which collect, use, or disclose personal information of natural persons in the course of commercial activities (including personal information belonging to employees).

2.2 Material Scope

PIPEDA imposes strict obligations for companies regarding the safekeeping, access, retention, and destruction of users’ personal information.

According to PIPEDA and OPC Guidelines, any information can be sensitive depending on the context. For example, the following information constitutes sensitive personal information:

• Medical records
• Income records
• Financial information
• Work performance information
• Social insurance numbers
• Live stream of young children

PIPEDA does not apply to the collection, use, or disclosure of personal information for personal use or household purposes, as it only applies to commercial activities.

2.3 Territorial Scope

PIPEDA applies to all Canadian organizations that collect, use or disclose personal information in the course of commercial activities.

PIPEDA also applies to organizations outside of Canada if their activities involve a real and substantial connection to Canada. This is used on a case-by-case basis.

Fair Information Principle

PIPEDA sets out 10 fair information principles which are as follows:

1. Accountability: organizations should appoint someone to be responsible for compliance.
2. Identifying purposes: organizations must define the purpose for collecting personal information.
3. Consent: organizations must inform the data subject of the collection, use, and disclosure of personal information.
4. Limiting collection: organizations must only collect the amount of data that is necessary.
5. Limiting use, disclosure, and retention: organizations must not use or disclose personal information for a purpose different from the purpose it was collected for, except under certain circumstances.
6. Accuracy: organizations must keep personal information accurate.
7. Safeguards: organizations must protect personal information against loss or theft.
8. Openness: privacy policy and practices must be understandable and easily available.
9. Individual access: data subjects have a right to access the personal information an organization holds about them.
10. Resource: organizations must develop accessible complaint procedures.

3. Obligations for the Data Controller and Data Processor

PIPEDA does not differentiate between data controllers and data processors and provides a similar set of responsibilities for both controllers and processors. PIPEDA demands all organizations appoint individuals who will be accountable for ensuring streamlined compliance of an organization’s data activities in accordance with the provisions of PIPEDA.

4. Consent Requirements

In many circumstances, PIPEDA requires organizations to obtain the data subject’s consent to use, disclose, and retain any personal information.

Consent of an individual is valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose, and consequences of the collection, use, or disclosure of the personal information to which they are consenting. The information must be provided in manageable and easily accessible ways to data subjects and data subjects must be allowed to withdraw consent.

If there is a use or disclosure a data subject would not reasonably expect to be occurring, such as certain sharing of information with a third party or the tracking of location, express consent would likely be required.

However, the data subject’s consent may not be required for certain data processing activities such as when the collection is “clearly” in the interests of the individual and consent cannot be obtained in a timely way, data is being collected in the course of employment, journalistic, is already publicly available, information is being collected for the detection and prevention of fraud or for law enforcement, and seeking the consent of the data subject might defeat the purpose of collecting the information.

5. Data Security Requirements

PIPEDA requires all organizations to enforce the necessary security measures to protect the personal information of data subjects against loss or theft, unauthorized access, disclosure, copying, use, or any modification.

6. Data Breach Notification Requirement

The breach notification requirements under PIPEDA came into effect on 1 November 2018. Organizations are now required to notify individuals, the OPC, and potentially other organizations of a data breach such as law enforcement organizations or organizations processing payments. The breach notification must take place as soon as feasible after the organization determines that the breach has occurred.

Under PIPEDA, organizations are required to maintain a record of every data breach involving personal information.

7. Data Protection Officer Requirement

PIPEDA imposes that organizations appoint data protection officer(s) who must act as the point of contact for individuals. The data protection officer will be responsible for monitoring compliance with the provisions of the PIPEDA. The name, title, and address of the officer(s) must be made explicitly available for anyone who wants to get in touch with the data protection officer.

8. Record of Processing Activities

Under PIPEDA, organizations must record the purposes for which personal information is collected.

9. Cross Border Data Transfer Requirements

PIPEDA does not provide any specific restrictions for cross-border data transfers. However, all cross-border data transfers are subject to the “accountability” principle under PIPEDA.

Accordingly, the data-transferring organization is accountable for the protection of the personal information it is transferring to. The OPC's Guidelines for Processing Personal Data Across Borders ('the Cross-border Guidelines') has specified that suitable means include, but are not limited to, ensuring that the third party:

• has appropriate policies and processes in place;
• has trained its staff to ensure information is appropriately safeguarded at all times;
• has adequate security measures in place.

Simultaneously, the Cross-border Guidelines also specify that organizations must provide notice to customers that:

• their personal information may be sent to another jurisdiction for processing;
• while the information is in the other jurisdiction, it may be accessed by the courts, law enforcement, and national security authorities.

10. Data Subject Rights

PIPEDA bestows the following rights to data subjects:

• Right to access
• Right to accuracy and completeness
• Right to withdraw consent and submit complaints

11. Penalties for PIPEDA Non-Compliance

PIPEDA imposes administrative penalties for non-compliance, where the amount may vary depending upon the severity and the kind of violation. According to PIPEDA, the following conduct may account for an offense:

• obstructing the OPC in an investigation;
• failing to report security breaches involving personal information under an organization's control;
• failing to maintain records of security breaches involving personal information under an organization's control;
• disciplining a whistleblower.

For offenses punishable on summary conviction, fines do not exceed CAD 10,000 and indictable offenses do not exceed CAD 100,000.

12. How Can Securiti Help

The global dynamics of accessing and sharing personal data is rapidly changing, requiring organizations to become more privacy-conscious of their processes and responsible guardians of their consumers' data, all while automating privacy and security operations for swift action.

With a growing database of users and potential users, organizations need to incorporate robotic automation to operationalize compliance without missing out. While multiple services offer software that enables companies to comply with global privacy regulations, those solutions only go as far as possible with various restrictions or elementary data-driven functions.

Securiti binds reliability, intelligence, and simplicity, working on the PrivacyOps framework to allow end-to-end automation for organizations. Securiti can help you stay compliant with Canada’s PIPEDA law and other privacy and security regulations worldwide. See how it works. Request a demo today.