Canada Personal Information Protection and Electronic Documents Act (PIPEDA)

S.C. 2000, c.5

Highlights

Applicability:

PIPEDA applies to private-sector organizations that collect, use, or disclose Personal Information in the course of a Commercial Activity. It also applies to federally regulated organizations (e.g., airports, aircraft, and airlines; banks and authorized foreign banks; telecommunications companies; etc.).

However, PIPEDA does not apply to organizations subject to provincial laws deemed substantially similar to PIPEDA with respect to the collection, use, or disclosure of Personal Information that occurs within the relevant province. Provinces with substantially similar privacy laws include Alberta, British Colombia, and Quebec.¹ Additionally, PIPEDA does not apply to not-for-profits, charity groups, or political parties and associations, unless they engage in Commercial Activities (e.g., selling or leasing membership lists).

PIPEDA also does not apply to certain types of Personal Information, including:

• Business contact information such as an employee’s name, title, business address, telephone number or email addresses that is collected, used or disclosed solely for the purpose of communicating with that person in relation to their employment or profession.
• Personal Information an organization collects, uses, or discloses solely for personal, domestic, journalistic, artistic, or literary purposes.

Business Obligations:

PIPEDA requires organizations to follow ten “fair information principles” when processing Personal Information:

• Principle 1 – Accountability
• Principle 2 – Identifying Purposes
• Principle 3 – Consent
• Principle 4 – Limiting Collection
• Principle 5 – Limiting Use, Disclosure, and Retention
• Principle 6 – Accuracy
• Principle 7 – Safeguards
• Principle 8 – Openness
• Principle 9 – Individual Access
• Principle 10 – Challenging Compliance

As part of an organization’s compliance with the fair information principles, organizations must (among other requirements):

• Collect, use, and disclose Personal Information only for purposes that a reasonable person would consider appropriate in the circumstances
• Not collect, use, or disclose Personal Information in the following ways:
  
  • Collection or use that is otherwise unlawful.
  • Profiling or categorization that leads to unfair, unethical, or discriminatory treatment contrary to human rights law.
  • Collection, use, or disclosure for purposes known or likely to cause significant harm.
  • Publishing Personal Information for purposes of charging individuals for its removal.
  • Requiring passwords to social media accounts for employee screening.
  • Surveillance of the individual's own device through audio or video functionality.
• Use contractual or other means to provide a comparable level of protection to Personal Information it transfers to a service provider
• Inform individuals when disclosing Personal Information to a service provider located outside of Canada that their information may be processed in a foreign country; and that their Personal Information may be accessible to the law enforcement and national security authorities of that jurisdiction.
• Inform individuals during collection how the organization will use and disclose their Personal Information
• Obtain consent for the collection, use, or disclosure of Personal Information unless an exception applies.
• Not collect more Personal Information than is necessary to fulfill the purposes the organization identifies.
• Collect Personal Information by fair and lawful means.
• Protect Personal Information with appropriate security safeguards.
• Maintain appropriate privacy policies and practices.
• Fulfill data subject requests.

Individuals’ Rights:

Organizations must respond within 30 days to individuals’ requests regarding the processing of Personal Information, including individuals’:

• Right to access
• Right to correct inaccuracies

Organizations may require an individual to provide sufficient information to permit the organization to identify the individual and respond to the request, provided such information is used solely for responding to the request.

More Details

Definitions:

• Business Contact Information: Any information that is used for the purpose of communicating or facilitating communication with an individual in relation to their employment, business, or profession such as the individual’s name, position name or title, work address, work telephone number, work fax number or work electronic address.
• Controller: A person that, alone or jointly with others, determines the purposes and means for processing Personal Data.
• Commercial Activity: Any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering, or leasing of donor, membership, or other fundraising lists.
• Personal Information: Information about an identifiable individual. Personal Information includes employee information only where collected, used, and disclosed by a federally regulated organization.

Penalties:

Violations of PIPEDA may be enforced solely by the Office of the Privacy Commissioner (OPC). The OPC cannot make orders or impose fines. Instead, it can apply to the Federal Court of Canada to hear the matter or refer matters to the Attorney General of Canada for prosecution. The Federal Court can order an organization to (i) correct its practices, (ii) publish a corrective notice, or (iii) pay damages to a complainant. Fines for violations range from a maximum of $10,000 to $100,000 CAD depending on the violation.

Private Action:

No

Associated Regulations:

• The Digital Privacy Act; Canada’s anti-spam legislation (CASL)

Effective Date:

January 1, 2001

¹These provincial laws do not apply in lieu of PIPEDA with respect to: international or interprovincial transactions which include Personal Information (for example, the transfer of Personal Information outside of the province); and the Personal Information of employees and candidates for employment of federally regulated organizations.