PIPEDA Canada
Canada’s data privacy law for the private sector.
Your Free Data Privacy and Web Accessibility Report
What is PIPEDA?
PIPEDA means the Personal Information Protection and Electronic Documents Act which is Canada’s current data privacy law that imposes restrictions on how private-sector organizations collect, use, transfer or disclose personal information in the course of commercial or business activity. PIPEDA is regulated by the Office of the Privacy Commissioner of Canada (OPC).
What is Personal Information and what are other key definitions?
Personal information is defined as “information about an identifiable individual.”
Generally, personal information includes:
- ID numbers, a person’s age, name, income, blood type or ethnic origin;
- a person’s comments, opinions, evaluation results, social status or disciplinary actions undergone; or
- private records such as medical, credit, loan records, employee files or proof of dispute between a merchant and a consumer.
For example, personal health information, with respect to an individual, whether living or deceased will refer to:
- information concerning the physical or mental health of the individual;
- information concerning any health service provided to the individual;
- information concerning the donation by the individual of any body part or any bodily substance of the individual or information derived from the testing or examination of a body part or bodily substance of the individual;
- information that is collected in the course of providing health services to the individual; or
- information that is collected incidentally to the provision of health services to the individual.
According to PIPEDA Canada, a commercial activity is defined as “any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists” while the definition of ‘federal work,’ ‘undertaking’ or ‘business’ means “any work, undertaking or business that is within the legislative authority of Parliament. Commercial activity includes
- a work, undertaking or business that is operated or carried on for or in connection with navigation and shipping, whether inland or maritime, including the operation of ships and transportation by ship anywhere in Canada;
- a railway, canal, telegraph or other work or undertaking that connects a province with another province, or that extends beyond the limits of a province;
- a line of ships that connects a province with another province, or that extends beyond the limits of a province;
- a ferry between a province and another province or between a province and a country other than Canada;
- aerodromes, aircraft or a line of air transportation;
- a radio broadcasting station;
- a bank or an authorized foreign bank as defined in section 2 of the Bank Act;
- a work that, although wholly situated within a province, is before or after its execution declared by Parliament to be for the general advantage of Canada or for the advantage of two or more provinces;
- a work, undertaking or business outside the exclusive legislative authority of the legislatures of the provinces; and
- a work, undertaking or business to which federal laws, within the meaning of section 2of the Oceans Act, apply under section 20 of that Act and any regulations made under paragraph 26(1)(k) of that Act.”
Last but not least, the term ‘organization’ refers to “an association, a partnership, a person and a trade union.”
Who has to comply with PIPEDA?
PIPEDA Canada is applicable to any:
- organizations that collect, use or disclose data in the course of their commercial activities, or
- employee of an organization or applicant for employment, whose data the organization collects, uses or discloses during the course of federal work, an undertaking, or general business.
- All businesses that operate in Canada and handle personal information of Canadian residents in the course of their commercial activities, or the ones that cross national or provincial borders, are subject to PIPEDA. That is regardless of their base of operation, territorially speaking, and of the similar data privacy legislation applicable in certain provinces. This means that while they may fall under their respective provincial privacy laws, if they cross borders, they fall under the regulations of PIPEDA.
Under Canada's PIPEDA, federally regulated organizations, as well as their employees’ personal information are covered as well, if the organization in question conducts business in Canada.
Some federal organizations include but are not limited to:
- banks and authorized foreign banks;
- telecommunication companies;
- airports and airlines;
- radio and TV broadcasting companies;
- offshore drilling companies;
- international or inter-provincial transport companies.
Who is excluded from compliance with PIPEDA?
There are several instances where PIPEDA Canada is not applicable, namely:
- for government institutions to which the Privacy Act applies;
- for any individual that collects, uses or discloses for personal or domestic purposes only, meaning no other purpose except these; and
- for any organization that collects, uses or discloses personal information for literary, journalistic or artistic purposes only.
How can I keep my organization compliant with PIPEDA?
Under PIPEDA Canada, the information that is generally used for online monitoring and targeted advertising, such as a website visitor’s IP address, can be considered personal information.
Website visitors have to be aware of and consent to the collection, use or disclosure of the personal information collected and opting out should be made available to them at the time of or even before collection.
Unless you can inform your website visitors that you are collecting their personal information, and for what purposes, in an easy to understand language, and cannot offer them a way to consent to or opt out of the collection of their personal information, you should not use any tracking technology, even if it is for advertising purposes or website analytics only.
The same applies if opting out of personal information collection results in your website being unusable.
Because meaningful consent is required for the collection, use and disclosure of personal information, it may prove difficult to get consent from children, so you should avoid tracking children and websites aimed at children.
PIPEDA Canada outlines 10 principles that you need to follow in order to maintain compliance. These 10 PIPEDA principles are closely related among themselves and are as follows:
PIPEDA Principle 1 — Accountability
You are responsible for the personal information you collect and such must designate one or more DPOs, as well as educate your staff regarding your company’s policies and practices.
The identity of the DPO(s) has to be either made readily available, or provided upon request.
Last but not least, you are responsible for setting up procedures for receiving and answering complaints and enquiries.
PIPEDA Principle 2 — Identifying Purposes
You are responsible for identifying the purposes of personal information collection either before or at the time of collection.
This has to be made explicit to your visitors and if the purpose of the information collected changes, you will need to ask for consent once more, unless the new purpose is mandated by law.
PIPEDA Principle 3 - Consent
You must ensure the knowledge and consent of your website’s visitors in order to be compliant when collecting, using or disclosing personal information, unless consent is impossible to obtain or irrelevant, for example in legal, medical or security situations.
This principle requires both knowledge and consent of the targeted individuals and use of your product can in no way be restricted/conditioned depending on the consent given or withdrawn.
The form in which consent is obtained can vary, and consent can be withdrawn at any time at which point you must inform the individual(s) in question of the implications of their withdrawn consent.
PIPEDA Principle 4 — Limiting Collection
The amount as well as the types of personal information you collect has to be limited to that which is necessary for the purposes already outlined.
Information must be collected by fair and lawful means, without deception.
PIPEDA Principle 5 —Limiting Use, Disclosure, and Retention
You cannot use or disclose the personal information you have collected for any other purpose than those for which the information was collected, unless you first obtain the consent of the owner of the information, or unless required by law to do so.
Once the personal information has served the intended purpose it has to be destroyed, erased or made anonymous.
You are responsible for developing guidelines and implementing procedures for the retention and ultimately erasure, destruction or anonymization of the personal information collected, once it no longer serves the intended purpose.
Retention periods may be subject to legislative requirements or can be established by your organization.
PIPEDA Principle 6 — Accuracy
The personal information that you collect has to be at all times accurate, up to date and complete, as is necessary to serve the intended purpose for which it was collected.
You have to take into account the interests of the individual whose personal information you collected, as well as the use of the information itself in order to determine the extent to which it is accurate, up to date and complete.
Updating personal information should not be a routine practice unless you need to do so to fulfill the purpose for which the information was collected.
PIPEDA Principle 7 — Safeguards
In order to ensure the protection of the personal information that you collect, you must have safeguards in place that match the degree to which the personal information is sensitive.
Your safeguards will also depend on the amount, distribution, format or method of storage of the information and can include physical measures, organizational measures or technological measures.
Safeguards apply also in the disposal or destruction of personal information that is no longer accurate.
PIPEDA Principle 8 — Openness
You have to provide your website visitors with detailed information on your policies and practices that outline how you manage their personal information.
The information has to be made readily available and in a format that is easy to understand and it has to include details such as the contact details of your DPO, the means through which you collect their information, as well as what type of information you collect and for what purpose, and last but not least, what information you share with related organizations, such as subsidiaries.
PIPEDA Principle 9 — Individual Access
Your website visitors must have access at any given time to their personal information that you hold on your website. If they ask, you have to inform them of the existence, use and/or disclosure of their information, and they have to be able to challenge the accuracy of the information you hold about them.
A few key points:
- There are certain cases where providing access to information may not be possible but these exceptions should be limited and very specific.
- A clear reason has to be given to your visitors for your not being able to provide access.
- Exceptions include information that contains references to other individuals, information that would result in a high cost for yourself, information protected by commercial proprietary reasons, security or legal reasons, and information that is protected by solicitor-client privilege.
- Your visitors may be asked to provide sufficient information to gain access to the personal information you hold, before gaining access.
- When referring to any third parties that have received personal information of your visitors, you have to be as specific as possible and where this is not possible, a list of organizations to which you may have disclosed information about the visitor should be provided instead.
- You have to reply to every request for access in a timely manner and at minimal or no cost for the person that sent the request. The time frame given is 30 days since receiving the request.
- When the personal information you hold is proven to be inaccurate by the owner of the information, you have to amend it accordingly, whether this means correction, addition or deletion of data, and, where appropriate, you have to transmit the updated information to third parties that have access to it.
- When a challenge of accuracy is not resolved to the satisfaction of the visitor that sent the request, you have to record this and, where appropriate, you have to transmit the updated information to third parties that have access to it.
PIPEDA Principle 10 — Challenging Compliance
Your website visitors have to be able to challenge compliance with any of the above principles at any given time by contacting your DPO.
In this respect, you have to have procedures in place for receiving and responding to complaints or inquiries about your privacy policy as well as how you handle personal information, and these have to be easily accessible and simple to use.
Once you’ve received a complaint or inquiry, you have to inform the sender of the existence of relevant procedures, you have to investigate every complaint and, if found to be justified, you have to take appropriate action including, if necessary, updating your policies and practices for handling personal information.
In addition to following the 10 principles that stand at the base of PIPEDA, your website should clearly state how you plan to do this.
Keeping your website visitors informed about the collection of their personal information, as well as how you plan to use, share or protect this, will ensure that you stay ahead of any potential issues and also that your website visitors will feel safe to come back to you.
At Clym, we can help you do this via our cookie banner which will let your website visitors know that your website uses cookies, it will give them access to your privacy policies, and will allow for the opt-out option, should they wish to choose this.
The OPC requires organizations to report to them as well as to inform the affected individual(s), following any breach of security safeguards.
The details for this are outlined on their page, at the relevant section, which can be accessed here.
You are encouraged to file your report using the PDF form available, but you also have the option to submit this in any other format you deem fit for purpose, and to use the OPC’s secure breach reporting portal.
What data access rights does PIPEDA Canada grant?
Unlike other data privacy laws, PIPEDA details a general right of access for individuals as outlined by the 10 principles. However, it also allows for 3 data subject access rights, namely:
- Right to access
- Right to know
- Right to correct
PIPEDA Canada compliant website with Clym
How to address data subject access requests under PIPEDA?
Upon receiving a data subject access request, you have to take the following steps:
- Inform the requester whether you have the information about them that they are asking for;
- Inform them how it has been used and provide a list of the third parties to which it was disclosed;
- Give them access to the information in an easily accessible format and either at now cost or at a minimal cost;
- Correct or amend information that is proven to be inaccurate and, where needed, inform third parties of the updated information;
- Respect the 30 day deadline for answering each request and, if needed, confirm to them that you require an additional 30 days extension to come back to them with an answer.
Enforcement and penalties
The OPC is in charge of overseeing compliance with PIPEDA and in the event of a breach it can cost you up to $100,000 per violation.
GDPR vs. PIPEDA Canada
Although they both govern data privacy and give your visitors more control over their personal information, the two have a few main differences between them:
- GDPR applies to any business that collects and uses the personal information of individuals residing in the EEA (European Economic Area), whereas PIPEDA applies only to private-sector organizations that process personal information for commercial purposes.
- As far as jurisdiction is concerned, GDPR applies across all EEA as well as non-EEA businesses that interact with EEA residents; PIPEDA is restricted to certain Canadian provinces and only to some foreign organizations who, according to the OPC, have a substantial connection to Canada.
- When speaking about consent, GDPR requires active consent from individuals with regard to the collection and processing of their personal information, while PIPEDA allows for either explicit or implicit consent, depending on how sensitive the personal information collected is.
Data Subject Rights - GDPR vs. PIPEDA
GDPR
- Right to access data
- Right to correct inaccurate data
- Right to the portability of data
- Right to delete personal information
- Right to information about how entities are sharing your data
- Right to restrict processing
- Right to object to processing
- Right to object to automated processing
PIPEDA
- Right to access
- Right to know
- Right to correct
How can Clym help?
Clym believes in striking a balance between digital compliance and your business needs, which is why we offer businesses the following:
- All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
- Seamless integration into your website;
- Adaptability to your users’ location and applicable regulation;
- Customizable branding;
- ReadyCompliance™: Covering 30+ data privacy regulations;
- Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customise their individual experience.
You can convince yourself and see Clym in action by booking a demo or reaching out to us to discuss your specific needs today.
FAQs about the PIPEDA
What Does PIPEDA Stand for?
What is PIPEDA Canada?
Is PIPEDA applicable all over Canada?
Yes. All businesses that operate in Canada and handle personal information of Canadian residents in the course of their commercial activities, or the ones that cross national or provincial borders, are subject to PIPEDA. That is regardless of their base of operation, territorially speaking, and of the similar data privacy legislation applicable in certain provinces. This means that while they may fall under their respective provincial privacy laws, such as Alberta's and British Columbia's respective PIPA laws, if they cross borders, they fall under the regulations of PIPEDA.
Who enforces PIPEDA?
The Office for the Privacy Commissioner of Canada (OPC) is in charge of overseeing compliance with PIPEDA.
What are the penalties for violations of PIPEDA?
In the event of a breach it can cost you up to CAD 100,000 (approx. $ 73,000) per violation.
Table of contents
Questions?
If you would like to learn more, our compliance experts are happy to support you.
Leave us a Message