Does your company do business in Canada? If so, and it includes transmitting, storing, and using personally protected information (PII), the organization must meet the Personal Information Protection and Electronic Documents Act (PIPEDA) requirements. This is where a PIPEDA compliance checklist will come in handy.
The purpose of PIPEDA is to promote trust between consumers and businesses while also ensuring that an individual’s personal information is protected. The act became law in 2000, and has expanded to include all private-sector industries that handle PII.
If you’re new to PIPEDA requirements, it can be confusing. Unlike other laws designed to protect personal information, it does not come with guidelines. Companies only have a broad framework to follow.
What is PIPEDA
The Personal Information Protection and Electronic Documents Act apply to private-sector organizations that collect, use, and disclose private data. It covers all industries, including finance, health, and broadcasting.
PIPEDA is similar to the European Union’s General Data Protection Regulation (GDPR) in the sense that it protects information while also giving consumers rights on how it is gathered and used. It applies to all international companies, including those in the U.S. that do business in Canada.
While the premise of PIPEDA is simple, to keep personally protected information secure and give consumers the right to know how their data is used, meeting the requirements can be difficult for companies that are new to cybersecurity protocols.
Who Needs to Be PIPEDA Compliant
Canadian law states that any organization that is not federally regulated must be PIPEDA compliant if personal information is disclosed, gathered, or used during a commercial activity. Federal enterprises are also subject to PIPEDA regulations if commerce is conducted using employee information.
If an organization is located in a Canadian province that already has data protection laws in place, then the company will need to comply with those regulations. International companies doing business in Canada will need to follow PIPEDA requirements.
There are ten fair principles included in the Personal Information Protection and Electronic Documents Act. These are the requirements that companies must follow.
- Accountability: It is the responsibility of the company to control the personal information it manages. The business is also expected to assign data management and protection to an individual or team to ensure all ten PIPEDA standards are met.
- Identify How Data is Used: When or before data is collected, the consumer needs to be informed of why the information is being gathered.
- Consumer Consent: Businesses must have the consumer’s consent before collecting any personal data.
- Limit Data Collection: Information collected from consumers is limited to only what is required for the specified purpose.
- Limit Use and Disclosure of Data: Consumer information can only be used and disclosed for the reasons it was gathered.
- Accuracy: All personal data should be accurate and complete.
- Cybersecurity Safeguards: All personal information should have the appropriate safeguards in place to protect it from cybersecurity breaches.
- Openness: The practices and protocols put in place to protect PII must be available to consumers.
- Consumer Access: Consumers have the right to access their personal information and challenge any inaccuracies they find in their data.
- Challenge Compliance: If a consumer believes that a company is out of industry standards, they have the right to challenge or report the business.
Companies need to understand that PIPEDA requirements are their responsibility to meet. Consumers also have rights when it comes to allowing their data to be collected and stored. Individuals can also request access to their information and report businesses for non-compliance issues.
PIPEDA Compliance Checklist
To help Canadian and international companies meet PIPEDA requirements, the Office of the Privacy Commissioner of Canada (OPC) created a tool that businesses can use to perform a self-assessment of their cybersecurity practices.
There are two parts to the tool. The first part is understanding the ten principles that companies are responsible for meeting. The second is using the self-assessment tool to check if your company is meeting PIPEDA requirements.
There should be one person, more if needed, responsible for ensuring that the company is compliant with PIPEDA. One of their first goals is to create a policy that protects consumer information. The practices should also include the nine other principles listed in the Personal Information Protection and Electronic Documents Act.
The individual responsible for meeting the compliance standards should be in senior management or given the authority to ensure the cybersecurity protocols are implemented.
When companies are collecting consumer information, keeping records makes it easier to stay in compliance. If you’ve documented when the data was gathered, it will be a breeze to pull up the information when asked by the individual. Under PIPEDA, organizations must be able to tell an individual when asked,
- Why the data was collected
- Take steps to ensure the data is only used for the reason it was collected.
- Know when you need consent to use the data for other reasons.
Records on data collection and usage might also be required if a cybersecurity breach occurs.
Before your business gathers any personally protected information from a consumer, the individual must give consent. Their consent cannot be implied because they are purchasing goods or services; the consumer must be aware that their data is being collected.
Part of the compliance standard states that the individual cannot feel pressured to give consent. If they refuse, the company cannot withhold goods and services. The organization cannot penalize the individual.
Most companies include a disclosure form with the purchase for the individual to sign. Once the document is signed, the organization has the right to use the data for the purposes stated.
Limiting Data Collection
The data collected by your company should be limited to information needed solely for the purpose consent was given.
Regularly reviewing the procedures used to collect data will help you only collect the information needed. Any unnecessary data should be destroyed according to industry regulations.
Limiting Data Use and Disclosure
Your cybersecurity practices should include procedures that ensure PII is only used for the reasons it was collected. There should also be a policy that determines how long consumer information is saved. It is usually only as long as it’s needed for the intended purpose.
The information collected should be kept accurate. How this is done, will depend on the organization. Some companies send emails to consumers inquiring if their data is up-to-date.
Other businesses routinely check when the consumer purchases goods or services.
Personally identifiable information must be protected from cybersecurity breaches that include unauthorized access, theft, altering, and copying of data. PIPEDA does not have guidelines on how organizations should meet this standard, but you can refer to the NIST framework for guidance.
Some of the safeguards you should implement include restricting physical and remote access to data. Passwords and i.d. badges will help control who has access to PII. Encrypting data at entry and exit points are other security measures that should be in place.
The policy will include all information about personally identifiable information, along with the organization’s PIPEDA practices. It should also include information on how PII is shared and how individuals can request access to their data.
When someone requests their data, you must respond within 30 days. Your response will include,
- Details on if you are storing their PII
- What the data is
- How the organization uses the information
- What third-parties the individual’s data was shared with
If the individual’s information is inaccurate, it must be corrected if appropriate for its stated use.
An individual can challenge a company regarding PIPEDA compliance. The organization must have practices implemented that will receive, review, and respond to the individual’s complaint.
The complaint will need to be investigated, and any changes to the current cybersecurity policies need to be documented. Your answer to the complainant will include information on the changes made, along with steps they can take if they’re not satisfied with your response.
As complicated as meeting PIPEDA requirements are, the penalties for cybersecurity breaches aren’t any easier to understand. However, it does not mean that American companies doing business in Canada don’t need to worry about potential penalties.
There are two ways a non-compliance complaint can be filed against a company. The first is by an individual, the second is a notice from the Office of the Privacy Commissioner of Canada (OPC).
When the complaint is filed it goes through the “intake” field. If the claim is resolved or unfounded, no further action will be taken against the organization. Some consumer or OPC complaints involve more serious potential compliance violations, and these will need to be investigated by an OPC officer. Once the investigation is finished, the company will be given practices to implement designed to meet PIPEDA regulations.
The organization can be taken to federal court if the complaint is not resolved or fails to follow the recommendations of the OPC officer. While there are no legal requirements that force companies to implement OPC recommendations, they do have to follow the court’s orders. These can include,
- Changing the company’s practices and policies
- Making the changes public
- Paying restitution to the individual that made the complaint
There are three criminal offenses listed in the Personal Information Protection and Electronic Documents Act. Along with incurring potential fines and penalties, organizations can be criminally prosecuted.
- Destroying any data about a complaint after it was made. It includes the individual’s information previously gathered by the company.
- Penalizing the employee or consumer that made the initial complaint.
- Preventing OPC officials from investigating the complaint or providing misleading information to the investigator.
As difficult as it might be to implement some of the requirements for PIPEDA compliance, it is worth it to avoid potential federal prosecution.
PIPEDA requirements can be confusing, and implementing them may seem too costly and time-consuming. However, if you are familiar with NIST practices or the EU’s GDPR, it won’t be as difficult as you might think.
At RSI Security, we are familiar with PIPEDA requirements and the checklist created by the OPC. If you have questions or need assistance implementing a protocol, our experts are here to help.