In 2000, Canada enacted the Personal Information Protection and Electronic Documents Act (PIPEDA), which protects consumer data, while also giving individuals specific rights. Like other data privacy laws, there is the risk of fines and penalties for non-compliance.
An organization can already meet the requirements for data privacy set down by the European Union, along with the California Consumer Privacy Act (CCPA), but this doesn’t mean that the business is PIPEDA compliant.
Canada first passed PIPEDA into law in 2000, but over the years, it has expanded. Initially, the act only applied to private-sector businesses and has grown to cover every organization that collects, stores, and uses consumer personal information for commerce.
Essentially this means that any organization, whether online or with a physical storefront, is subject to PIPEDA regulations.
The purpose of the Canadian privacy law is to protect consumer information from data breaches, while also ensuring individuals’ rights. For example, under PIPEDA, consumers must give their consent to have their data collected and to know how it will be used. Individuals can also request documents from organizations that show how the information is being used and if their data is accurate.
There are several fair principles covered by PIPEDA, and each one addresses the use, collection, and disclosure of personally identifiable information. Alongside the principles, there is one rule that all organizations must follow to only use the consumer data collected for a reasonable purpose.
Your business is accountable for any PIPEDA compliance violations, even if you weren’t aware of them. Due to the large volume of information your company takes in, it’s recommended that a team or individual employee is responsible for ensuring you are compliant with PIPEDA standards.
To protect your company, including a disclosure stating that the consumer’s information may be used by a third-party will help you stay in compliance.
In-person consent forms are easier, but this won’t work for e-commerce sites. The consent agreement needs to be short and concise to ensure that consumers know exactly what they are agreeing too.
Limit the Scope of Data Collection
If the consumer’s information isn’t necessary, it shouldn’t be collected. A company cannot gather excess data that might be used at a later date.
An organization must have protocols implemented that limits the scope of information gathered to only what is necessary for the reasons the consumer consented to.
Limit Information Use, Disclosure, and Retention
Companies can only use collected data for the purpose the individual consented to. If a business intends to use PII for other reasons, the consumer must give approval. Organizations can only keep the information for as long as it is needed for the consented purpose, and then it must be destroyed.
It can also be rendered anonymous, but this does come with the potential risk for a data breach.
All collected information must be accurate and complete. It is also important to keep the data organized. Larger corporations might find it difficult to keep consumer data current, but there are tools that will help.
Sending out routine emails asking consumers to update their information will help with online customers. For in-person sales, it’s not uncommon for companies to ask at the point-of-sale if all supplied information is accurate.
All consumer information that an organization has gathered must be protected from data breaches. Safeguards that are commonly put in place and are effective include, protection from theft, unauthorized access, along with preventing copying or altering the data.
Some methods that companies commonly use include,
- Requiring passwords for data access
- Encrypting data before sending or receiving it
- Limiting who has access to the data.
Once your business has received the request, you have 30 days to respond. If you don’t, the individual can challenge the company’s compliance standards.
An individual has the right to challenge a company’s PIPEDA compliance, and the organization must respond within 4 weeks. If the compliance issue is not resolved, the Office of the Privacy Commissioner can be notified.
Once the office is notified, your company will need to undergo an audit by an OPC officer.
Is Your Company PIPEDA Compliant
Ensuring that your company meets all PIPEDA principles will help it meet compliance standards, but it’s also easy to overlook some aspects that could lead to a data breach.
Answering a few questions about your current protocols and practices will ensure that your company is following the PIPEDA privacy policies.
Information Collected from Consumers
- Are you collecting information that is covered by PIPEDA? It includes any data that can be used in whole or part to identify an individual.
- Is the information gathered going to be used as part of your business practices? For example, an email address to update online customers about upcoming sales.
- Do you have a designated place to safely store the data while it is being used for the reasons consent was given?
- Is access to the stored data restricted and is there a record of who can access it?
Company Responsibilities Under PIPEDA
- Do you have someone or a team responsible for ensuring that the privacy policies are being implemented according to PIPEDA recommendations?
- Are the responsibilities for ensuring that the data is secure clearly outlined for employees?
- If a request for information access is filed, do your employees responsible for PIPEDA standards know how to respond? To avoid a non-compliance complaint, you must respond with the information requested within 30 days.
Information Collect, Used, Disclosed, and Retained
- Did you disclose why you are collecting the individual’s data?
- Is disclosure information given before or at the point of sale? One part of PIPEDA expressly states that an individual cannot feel forced to provide personal information, which is why it’s recommended that your intent to gather data is disclosed before the start of the transaction.
- Is the information gathered being used for the purposes consent was given for?
- Do you have documentation giving you permission to use consumer data?
- Does the company have a timeframe for destroying inaccurate and old information?
- How will old information be destroyed?
- Do employees know that an individual must give consent before data is collected?
- Is express consent asked when consumers are giving sensitive information?
- Are the consents for consumer data easy to comprehend?
- Is the data collected, used, and stored current and accurate?
- When information is updated, are records kept?
- If third-parties are involved, is there information current?
Protecting Consumer Data
- Are there adequate safeguards in place to prevent data breaches?
- Do the cybersecurity protocols match the sensitivity of the information stored?
- Is access to data limited to a ‘need-to-know’ basis?
- Does one person, usually in upper-management, know why and how data is being collected?
- Does your staff know that there is a legal timeframe dictating the amount of time you have to respond to an individual’s data request?
- Can your company retrieve the requested information without disrupting business operations?
- Is the requested information provided in a concise manner at little or no cost to the consumer?
- Do you have alternative responses for individuals that are deaf or blind like braille or audio tapes?
- Is it easy for consumers to file complaints about your use of their data?
- Does your company promptly respond to consumer complaints about your data privacy practices?
- If the complaint is accurate, do you take the appropriate measures to correct it?
Even with a template, it can be difficult meeting PIPEDA requirements. Not only does the Canadian privacy act require companies to protect consumer data, but it also gives individuals several rights on how their information is used.
If your organization does business in Canada, and you need advice on how to implement the necessary practices, or if you can’t answer ‘yes’ to the checklist questions the experts at RSI Security can help. Feel free to contact us if you need advice or one of our professional technicians to set up your cybersecurity protocols.