An essential element of PIPEDA is consent. For legitimate and clearly stated purposes, the Personal Information Protection and Electronic Documents Act (PIPEDA) requires information owners’ consent before any piece of information is collected, used, and disclosed. However, a PIPEDA consent form must consider the sensitivity of personal information.
Under PIPEDA, Canada’s privacy law, organizations are required to obtain consent for data collection and use. Here’s what a PIPEDA consent form consists of.
Application of PIPEDA
PIPEDA is a prominent federal law of Canada involving information privacy. The Act was passed into law on April 13, 2000 with the intent to boost consumer confidence in electronic commerce. PIPEDA enhances electronic commerce by safeguarding personal information and controlling how organizations obtain, utilize and share information in the private sector.
PIPEDA applies to federal works, undertakings, and businesses (FWUBs) throughout Canada. FWUBs include banks, transport and telecommunication companies. Although there are slight variations from province to province, the privacy policy laws across Canada share many similarities. Learn more about the application of PIPEDA here.
Overall, PIPEDA protects the rights of Canadians, covers their personal information, and enforces the privacy policies of organizations in both private and public sectors.
Principles of PIPEDA
PIPEDA sets out ten fair information principles that establish regulations and procedures for rendering access to personal information as well as gathering, using, and disclosing personal information. These principles enable individuals to oversee or regulate how private-sector organizations control and utilize their personal data. Below are the ten principles of PIPEDA.
Schedule a Free Consultation
1. Accountability
Private-sector organizations must delegate a group of people with levels of authority that will be put in charge of personal information. Each person in this team will be accountable for the security of private information.
2. Identifying purpose
Private-sector organizations must know and record the reason for obtaining personal information. This will enable them to do the following:
- Tell individuals the basis for collecting their personal data
- Prevent using personal data for another reason
- Get new consent from individuals in case they want to use it for other purposes
3. Consent
Individuals must be informed before their personal details are obtained. They must not be tricked into giving their data but made to understand that they need to give their permission for the usage and distribution of the data presented to relevant third-parties.
4. Limiting collection
Organizations must collect personal information limited only to what’s necessary for the purposes identified.
5. Limiting use, disclosure, and retention
The usage and disclosure of personal details should be based on the reasons for their obtainment, according to the individual’s consent or according to the requirement of the law.
Personal information must also be kept for as long as needed, except needed to be used for reference or review by the individual.
6. Accuracy
Personal information must be correct, exact, and without any mistakes. The information must also be regularly updated for the right purposes.
7. Safeguards
Private-sector organizations must prevent personal information from being altered, stolen, destroyed, or disclosed illegally. The level of security provided should be suitable for the level of sensitivity of the information.
Security can be ensured by doing the following:
- Use codes or passwords
- Limit physical access to personal information to organization’s specific staff
- Use more advanced technological precautions like encryption to prevent easy access
8. Openness
All actions taken concerning the information of individuals should be transparent, on point, and readily available for usage. Individuals must be aware of how their details are collected, utilized, and stored.
Private-sector organizations must create a privacy policy that consists of procedures concerning the information. Individuals can officially request to have access to their personal details and also know how they are being disclosed to third-party organizations.
9. Individual access
Organizations must understand that they are not the owner of personal information and only have temporary access. Since individuals are the owners of their personal information, they must have complete access.
Individuals must be informed that their personal information data exists, is being used and disclosed to third parties. They must also be given access to their own personal information whenever they request it.
Individuals’ requests should be answered within 30 days. They should also be allowed to correct their information to ensure accuracy and proper update of the personal information.
10. Challenging compliance
Individuals shall be able to challenge an organization’s compliance on any of the privacy principles of PIPEDA. Policies and procedures should be changed, if need be, to comply with the various principles of PIPEDA.
This means that an organization must have simple and easy-to-follow procedures in place to receive and respond to complaints and inquiries.
What Should a Sample PIPEDA Consent Form Contain?
Consent is a fair information principle of PIPEDA. Essential in obtaining information, it’s relevant when individuals are supplied with explicit details, explaining what organizations are implementing with the information provided.
A consent is considered meaningful when people understand what they are consenting to — the nature, purpose, and consequence of the collection, utilization, and disclosure of their personal information.
Under the Canadian privacy law of PIPEDA, organizations are required to obtain consent for data collection and use. Here’s what a sample PIPEDA consent form should consist of:
- What personal information is collected?
- With whom will this information be shared?
- How will this information be used?
- What are the risks and consequences involved?
According to the new amendment, organizations’ compliance with PIPEDA must entail:
- Information concerning security breaches and protection of personal information that increase “the possibility of noticeable damage” to individuals should be given to the Privacy Commissioner of Canada. The possibility of noticeable damage involves the extent to which the personal information involved in the breach of security is sensitive and the possibility that the personal information of individuals have been or will be misused.
- Individuals who are affected by these security breaches should be notified. Security breaches involve loss, damage, theft, and other adverse effects on individuals’ personal information.
- Any organization that can cause harm to the concerned individuals should also be notified.
- Any breach of information should be tracked and kept in records for a minimum of 24 months after its occurrence.
Closing Thoughts
Privacy laws are key to cybersecurity in today’s digital world. Every organization must ensure that they adhere to every privacy law that concerns the security of their customers. In Canada, PIPEDA compliance is an essential aspect of all FWUBs. It’s important to hire the services of cybersecurity experts who can help you determine if your business is PIPEDA compliant.
RSI Security recognizes the importance of securing our client’s future success. We will help you determine if your business is in compliance with PIPEDA and help you achieve compliance if you’re non-compliant. We will also notify you whenever breaches of privacy of information occur using a PIPEDA full form on breach report.
At RSI Security, we take great pride in presenting unbiased, independent and technical in-depth security assessment. We are here as your trusted advisor in cybersecurity and compliance. To know more about what we do, click here.
Speak with a PIPEDA compliance expert today – Schedule a Free Consultation