Your company is located in the U.S., but you do business with consumers in Canada. Even if you are compliant with all information protection acts in the U.S., the organization still needs to meet Canada’s PIPEDA privacy policy standards.
In 2000, Canada enacted the Personal Information Protection and Electronic Documents Act (PIPEDA), which protects consumer data, while also giving individuals specific rights. Like other data privacy laws, there is the risk of fines and penalties for non-compliance.
An organization can already meet the requirements for data privacy set down by the European Union, along with the California Consumer Privacy Act (CCPA), but this doesn’t mean that the business is PIPEDA compliant.
In this article, you find information on the standards your company needs to meet, along with a template to help you create an effective PIPEDA compliant privacy policy.
What is the PIPEDA Privacy Policy
Canada first passed PIPEDA into law in 2000, but over the years, it has expanded. Initially, the act only applied to private-sector businesses and has grown to cover every organization that collects, stores, and uses consumer personal information for commerce.
Essentially this means that any organization, whether online or with a physical storefront, is subject to PIPEDA regulations.
The purpose of the Canadian privacy law is to protect consumer information from data breaches, while also ensuring individuals’ rights. For example, under PIPEDA, consumers must give their consent to have their data collected and to know how it will be used. Individuals can also request documents from organizations that show how the information is being used and if their data is accurate.
Organizations that are found to be in violation of the PIPEDA privacy policy can face fines and penalties, along with federal charges in a Canadian court. With stiff penalties a possibility, along with a lack of consumer trust, U.S. companies need to be compliant with these regulations.
Request a Free Consultation!
PIPEDA Privacy Policy Template
There are several fair principles covered by PIPEDA, and each one addresses the use, collection, and disclosure of personally identifiable information. Alongside the principles, there is one rule that all organizations must follow to only use the consumer data collected for a reasonable purpose.
A PIPEDA privacy policy template will let you know if you are using, storing, and handling private consumer data for a reasonable purpose. It will guide you on which protocols you need to implement, and whether the data you collected is being used for the reason the individual consented to.
Here’s what should be included in your PIPEDA privacy policy template.
Accountability
Your business is accountable for any PIPEDA compliance violations, even if you weren’t aware of them. Due to the large volume of information your company takes in, it’s recommended that a team or individual employee is responsible for ensuring you are compliant with PIPEDA standards.
Designed a PIPEDA privacy policy and posting it where other employees can familiarize themselves with it is the first step. The second is to ensure that all third-party vendors are also following your company’s practices. Under the Canadian privacy act, you are also responsible for any third-party non-compliance issues.
To protect your company, including a disclosure stating that the consumer’s information may be used by a third-party will help you stay in compliance.
Identifying Purposes
The reason your business is collecting an individual’s data must be made clear before the data is gathered and included in the company’s privacy policy. The policy should state why specific types of information are needed and how it will be used.
The privacy policy identifying the reasons why data is collected also pertains to any apps associated with the business a consumer might download. You want the privacy policy to be as transparent as possible to prevent any potential complaints later on.
Consent
The key principle to PIPEDA compliance is gaining consent from an individual to collect their information and use it for the purposes stated in the privacy policy. If you do not have the consumer’s consent and your company still gathers the data, it is a violation of the Personal Information Protection and Electronic Documents Act.
In-person consent forms are easier, but this won’t work for e-commerce sites. The consent agreement needs to be short and concise to ensure that consumers know exactly what they are agreeing too.
The PIPEDA privacy policy also states that not only do individuals need to give initial consent for their information to be collected and used, but the agreement also has to be regularly updated.
Limit the Scope of Data Collection
If the consumer’s information isn’t necessary, it shouldn’t be collected. A company cannot gather excess data that might be used at a later date.
An organization must have protocols implemented that limits the scope of information gathered to only what is necessary for the reasons the consumer consented to.
Limit Information Use, Disclosure, and Retention
Companies can only use collected data for the purpose the individual consented to. If a business intends to use PII for other reasons, the consumer must give approval. Organizations can only keep the information for as long as it is needed for the consented purpose, and then it must be destroyed.
It can also be rendered anonymous, but this does come with the potential risk for a data breach.
Accuracy
All collected information must be accurate and complete. It is also important to keep the data organized. Larger corporations might find it difficult to keep consumer data current, but there are tools that will help.
Sending out routine emails asking consumers to update their information will help with online customers. For in-person sales, it’s not uncommon for companies to ask at the point-of-sale if all supplied information is accurate.
Safeguards
All consumer information that an organization has gathered must be protected from data breaches. Safeguards that are commonly put in place and are effective include, protection from theft, unauthorized access, along with preventing copying or altering the data.
Some methods that companies commonly use include,
- Requiring passwords for data access
- Encrypting data before sending or receiving it
- Limiting who has access to the data.
Open Access
Having open access means that the company has a clear and concise privacy policy that anyone can understand. There cannot be any ‘hidden’ clauses concealed in the policy’s fine print.
Individual Access
Any consumer that has given consent to have their information collected is legally entitled to request access to the data under the PIPEDA privacy policy.
Once your business has received the request, you have 30 days to respond. If you don’t, the individual can challenge the company’s compliance standards.
Challenging Compliance
An individual has the right to challenge a company’s PIPEDA compliance, and the organization must respond within 4 weeks. If the compliance issue is not resolved, the Office of the Privacy Commissioner can be notified.
Once the office is notified, your company will need to undergo an audit by an OPC officer.
Is Your Company PIPEDA Compliant
Ensuring that your company meets all PIPEDA principles will help it meet compliance standards, but it’s also easy to overlook some aspects that could lead to a data breach.
Answering a few questions about your current protocols and practices will ensure that your company is following the PIPEDA privacy policies.
Information Collected from Consumers
- Are you collecting information that is covered by PIPEDA? It includes any data that can be used in whole or part to identify an individual.
- Is the information gathered going to be used as part of your business practices? For example, an email address to update online customers about upcoming sales.
- Do you have a designated place to safely store the data while it is being used for the reasons consent was given?
- Is access to the stored data restricted and is there a record of who can access it?
- Do you have a privacy policy in place and is it updated to include the types of information from consumers you collect.
Company Responsibilities Under PIPEDA
- Do you have someone or a team responsible for ensuring that the privacy policies are being implemented according to PIPEDA recommendations?
- Are the responsibilities for ensuring that the data is secure clearly outlined for employees?
- If a request for information access is filed, do your employees responsible for PIPEDA standards know how to respond? To avoid a non-compliance complaint, you must respond with the information requested within 30 days.
- Is your privacy policy up-to-date, including where consumers can contact individuals in charge of the company’s privacy practices?
Information Collect, Used, Disclosed, and Retained
- Did you disclose why you are collecting the individual’s data?
- Is disclosure information given before or at the point of sale? One part of PIPEDA expressly states that an individual cannot feel forced to provide personal information, which is why it’s recommended that your intent to gather data is disclosed before the start of the transaction.
- Is the information gathered being used for the purposes consent was given for?
- Do you have documentation giving you permission to use consumer data?
- Does the company have a timeframe for destroying inaccurate and old information?
- How will old information be destroyed?
Consumer Consent
- Do employees know that an individual must give consent before data is collected?
- Is express consent asked when consumers are giving sensitive information?
- Are the consents for consumer data easy to comprehend?
Accurate Records
- Is the data collected, used, and stored current and accurate?
- When information is updated, are records kept?
- If third-parties are involved, is there information current?
Protecting Consumer Data
- Are there adequate safeguards in place to prevent data breaches?
- Do the cybersecurity protocols match the sensitivity of the information stored?
- Is access to data limited to a ‘need-to-know’ basis?
- Does one person, usually in upper-management, know why and how data is being collected?
Privacy Policy
- Does your staff know that there is a legal timeframe dictating the amount of time you have to respond to an individual’s data request?
- Can your company retrieve the requested information without disrupting business operations?
- Is the requested information provided in a concise manner at little or no cost to the consumer?
- Do you have alternative responses for individuals that are deaf or blind like braille or audio tapes?
- Is it easy for consumers to file complaints about your use of their data?
- Does your company promptly respond to consumer complaints about your data privacy practices?
- Do you investigate consumer privacy policy complaints and advise the individuals on the potential courses of action?
- If the complaint is accurate, do you take the appropriate measures to correct it?
If you cannot answer ‘yes’ to those questions, then your company has not met all PIPEDA privacy policy requirements.
Conclusion
Even with a template, it can be difficult meeting PIPEDA requirements. Not only does the Canadian privacy act require companies to protect consumer data, but it also gives individuals several rights on how their information is used.
If your organization does business in Canada, and you need advice on how to implement the necessary practices, or if you can’t answer ‘yes’ to the checklist questions the experts at RSI Security can help. Feel free to contact us if you need advice or one of our professional technicians to set up your cybersecurity protocols.