PIPEDA is relevant to all businesses addressing consumers in Canada with services and products. A guide to privacy compliance.
What is PIPEDA?
PIPEDA stands for Personal Information Protection and Electronic Documents Act and refers to Canada’s new basic data protection regulation. The act merges the two previous Canadian data protection laws, the Consumer Privacy Protection Act (CPPA) and the Personal Information and Data Protection Tribunal Act (PIDPTA), into a comprehensive regulation equivalent of the GDPR. The similarity to the European General Data Protection Regulation can be seen in many parts of PIPEDA, which is why it is often called DSGVO Canada.
Similar to the GDPR, the Canadian Data Protection Act regulates the process of personal data collected and stored in the course of commercial activities. The Personal Information Protection and Electronic Documents Act PIPEDA is therefore relevant for all the companies that address consumers in Canada with services and products – whether stationary or via distance selling. For the purposes of PIPEDA, commercial activities are all transactions or actions of a commercial nature or those having a commercial intent.
PIPEDA applies to businesses and organizations that are federally regulated and are subject to Canadian legislation. The Personal Information Protection and Electronic Documents Act also applies to the private sector of each province, unless a province has enacted its own privacy law that is substantially similar to the Personal Information Protection and Electronic Documents Act PIPEDA. Only British Columbia, Alberta and Quebec have privacy laws that can be broadly categorized as those similar to the PIPEDA. If an organization is located in British Columbia, Alberta or Quebec, the Personal Information Protection and Electronic Documents Act applies to personal information collected by those organizations to the extent that the commercial use of the information exceeds the boundaries of the respective province.
The 10 privacy principles in the Personal Information Protection and Electronic Documents Act (PIPEDA)
Organizations that need to comply with the regulations of PIPEDA should take a closer look at the data protection principles in this GDPR for Canada. There are 10 points describing the rights and obligations that organizations must follow in commercial transactions with Canadian consumers under the GDPR for Canada:
- Identifying purposes
- Limiting data collection
- Use, process, and retention
- Integrity and confidentiality
- Individual Access
- Challenging Compliance
Anyone familiar with the General Data Protection Regulation would have already noticed many aspects in the overview of the 10 principles of PIPEDA that are also reflected in the EU GDPR. Nevertheless, there are deviations in detail, specifically regarding the consent for the collection of personal data. Let’s take a quick look at each of the 10 abovementioned points:
The principle of accountability means that an organization above a certain size must appoint a person who is responsible for the management of the collected personal data. This person is called the Privacy Officer in the GDPR – in the Personal Information Protection and Electronic Documents Act PIPEDA he or she is called the Privacy Officer or Chief Privacy Officer (CPO). In smaller companies, the Privacy Officer may also perform his or her function on a part-time basis. His or her primary responsibility is to develop, implement and monitor procedures that satisfy the privacy requirements under PIPEDA. Furthermore, the Privacy Officer must receive and respond to complaints regarding data collection. An important area is also the training of employees and the communication of data protection requirements relevant to individual areas of responsibility. If a consumer has expressed his consent for data processing by a third party, it is the Privacy Officer’s responsibility to ensure that the third party complies with the PIPEDA requirements.
2. Identifying purposes
For what reason does a company want to store a customer’s personal data? The purpose must be disclosed to the consumer not later than at the point of time when the data is collected. Sharing this information creates transparency and makes it easier for the company to regulate access to information. According to PIPEDA, the purpose of data collection must be communicated to every employee who should come into the contact with customers. For example, if a customer is asked to share their address or phone number at the checkout, the use of data must be explained to them upon request. Paper forms and online forms that collect personal data from customers must also clearly describe the purpose of data collection. Personal data collected cannot be used for a different purpose without an explicit permission of the customer. An exception can be made for legal requirements that turn such an inquiry into a necessity.
A company cannot collect, use or pass on personal data without the knowledge and explicit consent of its customers. The intention to collect data from the customer must be clearly and unambiguously communicated. Therefore, if personal data is requested in a form, ambiguous wording is not allowed. An explicit lack of consent to provide personal information should not put a consumer at disadvantage. Companies must therefore also make their products and services available to consumers who do not wish to provide data that is not related to the products or services. However, there are some exceptions. A company may refrain from getting customer’s consent if there are legal or medical reasons not to do so. Security reasons may also apply to certain products. An explicit consent is also not required if information is collected for law enforcement purposes. Consent can also be waived in case a person is underage, seriously ill, or has a mental disability. In this case, however, consent can also be given by an authorized representative.
There are three kinds of consent:
In many cases – such as online registration – an explicit consent of the consumer is required, similar to the European General Data Protection Regulation. An opt-out is generally not provided for. Thus, in the case of Cookie Consent PIPEDA – equivalent to the cookie regulations in the GDPR – no checkboxes or buttons should be pre-selected. The consent does not have to be made in writing – an oral consent should also suffice. For example, it serves the purpose if a prospective customer gives his or her consent to subscribe to a newsletter over telephone. However, the consent given over the phone regularly makes it more difficult for a company to provide evidence. In some cases, consent can also be derived directly from the consumer’s actions.
Consumers can withdraw their consent at any time, subject to contractual or legal restrictions and deadlines. The company however should inform the customer of the consequences of withdrawing the consent.
4. Limiting data collection
The principle of limiting data collection to the amount of data necessary for a specific purpose is a principle that also plays an important role in the European GDPR. Personal data collected by a company should be limited to the amount necessary for a transaction in the context of a business relationship.
The collection and retention of unnecessary personal data should be prevented in accordance with PIPEDA. The fair and lawful means of handling data behind the phrase „Fair and Lawful Means“ should govern the customer’s data sovereignty and the need for transparent processes. The purpose of collecting certain personal data should not be obscured by deception or ambiguous statements.
5. Use, process, and retention
The use of data collected should only be allowed to the extend known to the customer and to which he has given his or her explicit consent. Disclosure or any other use of personal data is prohibited under the Canadian Privacy PIPEDA. Data retention is based on the requirements of the company as well as other legal regulations. The recommended minimum retention time amounts to one year. Within this time the company should be able to check and fulfill its legal requirements. The maximum data retention time should be determined by the company, who should also notify the other parties thereof.
The unlimited data retention is therefor prohibited – consumers must be informed upon request when their data will be deleted permanently. If requested, data should be anonymized and deleted earlier than agreed upon, subject to deadlines. Additionally, an organization must be able to provide the information on individuals who have received consent to process the data and to what extent.
The principle of accuracy ensures that personal data collected by an organization is accurate, complete and up-to-date for the purpose of use.
In this regard, the data collected should be used in the best interest of the consumer.
The principle of accuracy of PIPEDA is not only relevant with a view to the relationship between an organization and its customers. If an organization decides to collect personal data on an applicant prior to a recruitment process, no discrimination should take place as a result of an incorrect or incomplete data collection.
Updating personal information
Automatic and rotational updates of personal information are generally prohibited. This principle of PIPEDA also applies to disclosing information to third parties.
7. Integrity and confidentiality
The principle of integrity and confidentiality means that personal information must be protected from loss or theft, unauthorized access, disclosure, duplication, modification or unauthorized use. This principle applies irrespective of the format in which the data is stored.
Appropriate protection measures
The effort to protect information is related to the size of the company. A small company that uses customers’ email addresses to subscribe them for an online newsletter may store the data in a spreadsheet. The data is considered to be adequately protected if the spreadsheet is password protected and highly encrypted.
Large organizations often manage significant amounts of sensitive personal data – despite the principle of limiting data collection. These companies often become targets for attackers, which is why a considerably stronger security precautions should be taken.
All security measures should provide above-average protection for the personal data to ensure a high-level integrity.
Destruction of personal information
When personal information is to be disposed of or destroyed, it should be ensured that no human or technology will be able to restore the information. This applies to both physical destruction of paper documents and the destruction of data files on storage modules.
A company should determine easily accessible policies and procedures on processing personal information. The customers should therefore be able to access this information easily. Consumer inquiries on data protection should be satisfied within a reasonable period of time and as clearly as possible. The information must be provided in a clear unambiguous manner with no use of legal terminology.
Under PIPEDA, an organization should be able to provide the following information upon request:
- Name or title and address of the person responsible for the organization’s rules and regulations to whom complaints or inquiries can be addressed.
- Ways to access personal data
- Type of personal data collected, including a description of how it is used.
- Company or organizational rules and regulations in writing.
9. Individual Access
Upon request and after an authentication a company should be able to provide an individual with information on his or her personal data that has been collected as well as the way it is being processed. If a customer doubts the accuracy or completeness of personal data, he or she may insist on making the changes to the data collected. This may include correcting, deleting or adding data.
Information requests on personal data can be refused for various reasons. This applies if the information is subject to attorney-client privilege or a confidential business relation.
Before granting access to personal data, an organization must verify the identity of the person making inquiry.
Some organizations do this by requesting an official identification. When appropriate, verification is also possible using account information in combination with other information such as a maiden name or stored password. However, strict authentication requirements should not be an obstacle for the right to access information.
Information inquiries – time and costs
Information inquiries shall be processed in a reasonable time and at minimal or no cost for the inquiring party. The inquiry shall be processed within 30 days. Should a company require more time to provide information, it should notify the inquiring party of the delay and provide a reason for it.
10. Challenging Compliance
The principle of Challenging Compliance stated in PIPEDA enables customers and consumers to take specific action against companies in the event of a breach of rule according to the GDPR Canada.
Companies shall be able provide procedures to receive and respond to complaints and inquiries. These procedures should be simple and easy to use. Furthermore, under the GDPR Canada, companies must investigate complaints, even if they believe the complaint to be not justified. If the complaint proves to be valid, appropriate remedial action must be taken. The company’s data protection officer is responsible for receiving complaints and initiating proceedings.
In our next post we will have a deeper look on Cookies, Cookie Consent and privacy notices.