A Guide to PIPEDA: Canada’s Data Protection Law
The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian data privacy law which became law on April 13, 2000.
The PIPEDA incorporates and also makes mandatory some of the provisions of the Canadian Standards Association’s Model Code for the Protection of Personal Information, developed in 1995.
Click here to access the full official text of the PIPEDA.
The PIPEDA became law on April 13, 2000 and went into effect on January 1, 2001. It went fully into force on January 1, 2004.
The PIPEDA applies to private-sector organizations across Canada that collect, use or disclose personal information in the course of a commercial activity.
The law defines a commercial activity as any particular transaction, act, or conduct, or any regular course of conduct that is of a commercial character, including the selling, bartering, or leasing of donor, membership, or other fundraising lists.
Covered Personal Information
Under the PIPEDA, personal information includes any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form, such as:
- Age, name, ID numbers, income, ethnic origin, or blood type;
- Opinions, evaluations, comments, social status, or disciplinary actions; and
- Employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs).
The Personal Information Protection and Electronic Documents Act provides that consent for the collection, use, and disclosure of personal information must be meaningful and that user expectations should be taken into consideration in determining the proper form of consent.
Moreover, consent under the PIPEDA will only be valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose, and consequences of the collection, use, or disclosure of the personal information to which they are consenting.
While the Act does not differentiate between adults, on the one hand, and youth on the other, Footnote1 the Office of the Privacy Commissioner of Canada (OPC) has consistently viewed personal information relating to youth and children as being of particular sensitivity, especially the younger they are, and that any collection, use or disclosure of such information must be done with this in mind (if at all).
While this is not the privacy notice, PIPEDA is steeped in the following: businesses must follow the 10 fair information principles to protect personal information, which are set out in Schedule 1 of PIPEDA.
By following these principles, you will contribute to building trust in your business and in the digital economy. The 10 principles are:
- Identifying Purposes
- Limiting Collection
- Limiting Use, Disclosure, and Retention
- Individual Access
- Challenging Compliance
Under this data privacy law, you need to inform individuals, when requested, if you have any personal information about them.
- Explain how it is or has been used and provide a list of any organizations to which it has been disclosed,
- Give individuals access to their information,
- Correct or amend any personal information if its accuracy and completeness are challenged and found to be deficient,
- Provide a copy of the information requested, or reasons for not providing access, subject to exceptions set out in Section 9 of the Act.
An organization should note any disagreement on the file and advise third parties where appropriate.
Data Protection Assessments
The PIPEDA does not require data protection assessments.
The PIPEDA is enforced by the Office of the Privacy Commissioner of Canada (OPC).
Private Right of Action
This privacy regulation does not have a provision for private rights of action.
Penalties and Damages
If an organization is found to be knowingly in breach of PIPEDA requirements, it can be fined up to $100,000 for each violation.
There is currently no cure period under the PIPEDA.
There are some instances where PIPEDA does not apply. Some examples include:
- Personal information handled by federal government organizations listed under the Privacy Act,
- Provincial or territorial governments and their agents,
- Business contact information such as an employee’s name, title, business address, telephone number, or email addresses that is collected, used, or disclosed solely for the purpose of communicating with that person in relation to their employment or profession,
- An individual’s collection, use, or disclosure of personal information strictly for personal purposes (e.g. personal greeting card list),
- An organization’s collection, use, or disclosure of personal information solely for journalistic, artistic, or literary purposes,
Unless they are engaging in commercial activities that are not central to their mandate and involve personal information, PIPEDA does not generally apply to:
- Not-for-profit and charity groups, or
- Political parties and associations.
Municipalities, universities, schools, and hospitals are generally covered by provincial laws. However, the PIPEDA may apply in certain situations.
Organizations having personal information under its control must, without unreasonable delay, provide notice to the Commissioner of any incident involving the loss of or unauthorized access to or disclosure of personal information where a reasonable person would consider that there exists a real risk of significant harm to an individual as a result.
Notification to the Commissioner must be in writing and include:
- A description of the circumstances of the loss or unauthorized access or disclosure,
- The date or time period during which the loss or unauthorized access or disclosure occurred,
- A description of the personal information involved in the loss or unauthorized access or disclosure,
- An assessment of the risk of harm to individuals as a result of the loss or unauthorized access or disclosure,
- An estimate of the number of individuals to whom there is a real risk of significant harm as a result of the loss or unauthorized access or disclosure,
- A description of any steps the organization has taken to reduce the risk of harm to individuals,
- A description of any steps the organization has taken to notify individuals of the loss or unauthorized access or disclosure, and
- The name and contact information for a person who can answer, on behalf of the organization, the Commissioner’s questions about the loss of unauthorized access or disclosure.