CHAPTER 14:
PIPEDA
Canada’s Personal Information Protection and Electronic Documents Act (‘PIPEDA’) has applied to all Canadian businesses (both paper-based and online), unless they are subject to substantially similar provincial laws, since 1 January 2004. See www.privcom.gc.ca/legislation/ss_index_e.asp for more information on what is considered to be ‘substantially similar’.
A separate Privacy Act applies to personal information held by the Canadian central government.
These Acts are both overseen by the Privacy Commissioner of Canada (www.privcom.gc.ca) and the Federal Court.
PIPEDA was designed to satisfy the EU that Canadian privacy laws were adequate for the protection of EU citizens. It incorporates and makes mandatory provisions of the Canadian Standards Association’s Model Privacy Code of 1995, and is based on 10 principles:
1. Accountability
2. Identifying purposes
3. Consent
4. Limiting collection
5. Limiting use, disclosure, and retention
7. Safeguards (protect personal information against loss or theft; safeguard the information from unauthorized access, disclosure, copying, use or modification; protect personal information regardless of the format in which it is held)
8. Openness
9. Individual access
10. Provide recourse
PIPEDA defines personal information as ‘information about an identifiable individual’. This includes any factual or subjective information, recorded or not, in any form. The following is considered personal information:
• name, address, telephone number, gender;
• identification numbers, income or blood type; and
• credit records, loan records, existence of a dispute between a consumer and a merchant, and intentions to acquire goods or services.
‘Personal information’ does not include the name, business title, business address, or business telephone of any employee (the sort of information you would find on a business card).
PIPEDA also covers sensitive personal information, which may include health or medical history, racial or ethnic origin, political opinions, religious beliefs, trade union membership, financial information and sexual preferences.
In summary, PIPEDA gives individuals the right to:
• know why an organization collects, uses or discloses their personal information;
• expect an organization to collect, use or disclose their personal information reasonably and appropriately, and not use the information for any purpose other than that to which they have consented;
• know who in the organization is responsible for protecting their personal information;
• expect an organization to protect their personal information by taking appropriate security measures;
• expect the personal information an organization holds about them to be accurate, complete and up-to-date;
• obtain access to their personal information and ask for corrections if necessary; and
• complain about how an organization handles their personal information if they feel their privacy rights have not been respected.
PIPEDA requires organizations to:
• obtain consent when they collect, use or disclose personal information;
• supply an individual with a product or a service even if that individual refuses consent for the collection, use or disclosure of their personal information, unless that information is essential to the transaction;
• collect information by fair and lawful means; and
• have personal information policies that are clear, understandable and readily available.