With a flood of new, Canadian government-enforced compliance standards holding organizations accountable, Canada offered its contribution with a 2018 update to the Personal Information Protection and Electronic Documents Act. Since then, organizations doing business with Canadian consumers have taken advantage of various PIPEDA self-assessment tools.
In this complete guide, we will break down the critical sections of the PIPEDA. We’ve also compiled an all-star list of PIPEDA self-assessment resources. To jump to a specific section within this guide, select the desired section title below.
Table of Contents
- What is the Personal Information Protection and Electronic Documents Act (PIPEDA)?
- Regulation of Consumer Information in Canada
- To Whom Does the PIPEDA Law Apply?
- What are the Consequences of Violating the PIPEDA?
- What is a PIPEDA Self-Assessment?
- Conducting a PIPEDA Self-Assessment: 10 Principles
- What are the Top PIPEDA Self-Assessment Tools?
- Benefits of Using PIPEDA Self-Assessment Tools
- Who Should Conduct a PIPEDA Self-Assessment?
- In Conclusion
What is the Personal Information Protection and Electronic Documents Act (PIPEDA)?
The PIPEDA is a Canadian privacy law that lawmakers radically updated in 2018 to further contribute to global consumer information privacy. Similar to legislation in Europe (GDPR) and parts of the United States (CCPA), Canada’s privacy laws effectively regulate the way private and public agencies manage consumer information.
According to the PIPEDA, personal information includes, but is not limited to:
- Employee information
- Credit reports
- Loan information
- Business/consumer disputes
- Pending employment status (hiring, leaving, or changing jobs)
- Pending purchase decisions (including intents to purchase)
- Medical records
- Personal information
- Ethnicity
- Age
- Income
- ID number
- Social information
- Disciplinary information
- Ideological opinions
- Private comments
- Evaluation information
Regulation of Consumer Information in Canada
Unique to PIPEDA is the clause preventing organizations from using consumer data for tertiary reasons. That is, the Canadian consumer allows an organization to use their information for expressly the reasons stated in the agreement, to exchange personal information.
If an organization wants to use a consumer’s information beyond what the consumer initially agreed, that organization must secure that consumer’s permission once again. PIPEDA laws apply to how agencies gather, use, and distribute a consumer’s information.
In addition to these principles, PIPEDA states that any collection, use, or disclosure of personal information must only be for purposes that a reasonable person would consider appropriate in the circumstances.
Request a Consultation
To Whom Does the PIPEDA Law Apply?
While federal agencies have some information privileges protected by other Canadian legislation, PIPEDA applies to any organization – public or private – operating within Canadian borders. That means that companies outside Canada doing business in Canada must remain compliant with PIPEDA.
Canada’s provinces are permitted to enact their own consumer privacy laws. The PIPEDA makes allowances for businesses operating in provinces with “substantially similar legislation.”
What are the Consequences of Violating the PIPEDA?
Under the Challenge principle of PIPEDA (see the “Conducting a PIPEDA Self-Assessment: 10 Principles section below”), any Canadian consumer may confront a business about potential violations. By law, this challenging consumer is protected against retaliation or discrimination.
There are many ways that the Office of the Privacy Commissioner (OPC) of Canada could take legal action against an organization found to be non-compliant. If an investigation confirms a consumer’s suspicion, then that business must submit to formal audits, ongoing remedial measures, and fines up to $100,000.
What is a PIPEDA Self-Assessment?
As the name implies, a PIPEDA self-assessment compares your company’s current privacy policy to PIPEDA law. When performing a self-assessment, you must pay careful attention to deficiencies in your current privacy policy and analyze how well your organization abides by stated policies.
That’s where PIPEDA self-assessment tools come in handy. These tools point your attention to parts of your business that most people overlook. Additionally, third-party tools help you be more objective.
The goal of a PIPEDA self-assessment is to determine whether or not you’re compliant with Canada’s privacy laws. If you operate in or do business with Canadian consumers, achieving PIPEDA compliance is not optional.
As we show you some free self-assessment tools to help you become PIPEDA compliant, we encourage you to follow-up on your self-assessment with professional cybersecurity support. These specialists can help you create and maintain processes that protect your network from cyber-attacks and ensure that you meet PIPEDA compliance standards.
Conducting a PIPEDA Self-Assessment: 10 Principles
Core to PIPEDA law are the “ten fair information principles.” These principles help organizations understand how and why privacy law exists, as well as outline the rights of Canadian consumers.
The PIPEDA ten fair information principles are as follows:
- Accountability
- Purpose
- Consent
- Limitations
- Duration
- Accuracy
- Protection
- Transparency
- Access
- Challenge
- Accountability
The OPC demands that any organization doing business in Canada appoint someone to hold that organization accountable to PIPEDA’s ten fair information principles. This individual should have the authority to require assessments, audits, and implement improved procedures to remain compliant to PIPEDA law.
1. Purpose
When asking a Canadian consumer’s permission to gather, use, or distribute their information, organizations must clearly state their purpose for doing so. If that organization’s purpose for managing consumer information changes, then it must restate that new purpose to the consumer before requesting consent.
2. Consent
Businesses – profit, nonprofit, and public – may collect, use, and distribute a consumer’s information by explicit consent only. As mentioned above, that business must re-request consent upon any change in purpose or actions that pertain to the gathering, use, or distribution of a Canadian consumer’s information.
4. Limitations
After stating the purpose and achieving consent, an organization may only gather that information essential to its stated purpose. Superfluous or manipulative tactics that unfairly coerce the consumer to provide more information than is necessary is a violation of Canadian privacy law.
Once again, if an organization decides that it wants/needs more information from a consumer, it must restate its purpose and re-request consent before gathering more personal information.
5. Duration
After stating its purpose and achieving consent, any organization lawfully gathering, using, and distributing consumer information may not continue to do so indefinitely. Once an organization has achieved its purpose for managing consumer information, it must cease doing so, destroy that consumer information, or seek additional consent from consumers to continue gathering, using, and distributing their information.
6. Accuracy
If an organization is going to gather, use, and distribute consumer data (with their express consent), all information must be correct and up-to-date. This measure ensures that consumers can depend upon the organization serving them to accomplish the purpose to which both parties agreed.
7. Protection
Any organization gathering, using, and distributing consumer information is responsible for the safety of that information. This means that businesses should take extra care to secure their network, train their employees, perform penetration testing, and maintain their digital operations’ general security.
8. Transparency
Upon request, any organization gathering, using, and distributing Canadian consumer data should fully disclose their operations as they pertain to that consumer data. Most organizations preemptively publicize disclosures and privacy policy per PIPEDA and other compliance agencies.
Either way, any organization that refuses or is unable to provide consumer information transparency is, by definition, non-compliant and susceptible to prosecution by the OPC.
9. Access
Any Canadian consumer may request access to their personal information and how that organization uses (or has used) their information. As of 2018, personal information access is a consumer right, rather than a privilege. No organization may deny a consumer their rights to access their information and a log of how that organization managed that consumer’s data.
10. Challenge
If a Canadian consumer suspects that an organization has violated their rights under the PIPEDA, that consumer may issue a challenge against that organization. The consumer must first take their challenge directly to the individual in charge of the organization’s consumer data privacy (see “1. Accountability” above).
What are the Top PIPEDA Self-Assessment Tools?
There are numerous paid and free PIPEDA self-assessment tools available online. To assist your cybersecurity team, we’ve compiled our four favorite tools online. Each resource is 100% free and created by privacy law experts.
OPC Self-Assessment Tool
The Officer of Privacy Commissioner (OPC) of Canada website contains a stockpile of PIPEDA self-assessment tools. One of our favorites is the Full Assessment, online version (see above). Simply follow the instructions in the survey and collect your results at the end.
After completing the assessment, you can hand over the results to your CISO or cybersecurity team. If you don’t currently have cybersecurity experts in your corner, you can contact an RSI Security representative today to discuss what your organization needs to become PIPEDA compliant.
OPC Privacy Toolkit
The Guide for Businesses and Organizations Privacy Toolkit is one of the most exhaustive whitepapers and checklists available for organizations. Authored and updated by the OPC, this 43-page PDF is one of the best downloadable resources on PIPEDA compliance.
The OPC Privacy Toolkit organizes itself by the ten fair information principles. It goes into detail about each set of compliance standards and provides a thorough checklist to help you perform your own PIPEDA self-assessment.
Google Cloud and PIPEDA Whitepaper
For those organizations moving to the cloud, Google G Suite services work hard to remain compliant with all leading privacy laws, including the CCPA, GDPR, and PIPEDA. Google discloses its policies and procedures in its whitepaper, Google Cloud and PIPEDA Whitepaper.
What’s particularly helpful about this resource is that Google experts composed the whitepaper in an instructional and informative format. This approach allows Google to further service its clients by showing them what it means to take PIPEDA laws seriously.
Additionally, organizations considering a transition to the cloud can get a picture of why it’s critical to know whether your cloud services provider is PIPEDA compliant. Your organization is ultimately responsible for the cybersecurity and compliance of outsourced services.
This Google Cloud resource will help you choose your outsourced IT and cloud services carefully. Should other organizations outsource digital and data services to your company, it is doubly important that you follow Google Cloud’s example in remaining and disclosing your compliance standards to clients and consumers.
Legislation Leader Compliance Toolkit Canada
Shred-it is a brand committed to helping organizations properly dispose of sensitive information after it is no longer needed. The Legislation Leader Compliance Toolkit for Canadian businesses can help your organization take Limitation, Duration, and Protection principles seriously.
This PIPEDA self-assessment toolkit is full of infographics, relevant links to Canadian authority websites, and checklists. Compared to the OPC Privacy Toolkit, Shred-it’s compliance toolkit is notably shorter – 12 pages, to be exact.
Benefits of Using PIPEDA Self-Assessment Tools
To some IT managers, new compliance standards can feel overwhelming or obnoxious. However, cyber-risks grow with increased technological innovation. Government-enforced compliance standards provide guidance and accountability to protect your customers and your organization.
Increased Competitiveness in Your Market
Some businesses will choose to bypass compliance standards and sacrifice an entire target market in the process. They perceive that their organization can’t or shouldn’t have to go “the extra mile” to protect consumer privacy.
But the reality is that consumers are growing more aware of cybersecurity threats. As a result, they are intentionally selecting products and services from brands that openly meet compliance standards. By taking the PIPEDA seriously, you show Canadian consumers that you take their security seriously, and as a result, you earn greater trust with consumers and clients.
Quality Risk Management
Compliance standards like the PIPEDA make it more difficult for hackers and malware to breach security and steal confidential information. That’s why government-enforced compliance standards exist in the first place – to protect consumers and further manage cybersecurity risks on a mass scale.
By abiding by PIPEDA compliance standards, your cybersecurity team can rest easier at night knowing that your organization’s liability is lower, as is the risk of lost or stolen data. By protecting consumers, you protect your business and save yourself the heartache and expense of a major cybersecurity breach.
Who Should Conduct a PIPEDA Self-Assessment?
Technically, you don’t have to be a cybersecurity expert in using the PIPEDA self-assessment tools listed above. In fact, we at RSI Security strongly encourage all business leaders to understand PIPEDA law and how it applies to their business.
That said, enlisting the help of cybersecurity experts will greatly enhance your ability to support customers and your IT department. Thankfully, cybersecurity is no longer an expense that only major corporations can afford. Two cybersecurity solutions can help small and medium-sized businesses enjoy the same cybersecurity level as their corporate counterparts:
- vCISO
- Cybersecurity Staff Augmentation
Virtual Chief Information Security Officer (vCISO)
Traditionally, chief information security officers (or CISOs) are an executive-level, six-figure-salaried cybersecurity expert. For obvious reasons, the traditional CISO role cannot help small and medium-sized businesses.
Today, organizations on smaller budgets can employ vCISOs; part-time, remote cybersecurity leaders can offer the same level of expertise as a traditional CISO. These individuals can also act as the key point of contact required by the PIPEDA’s Accountability clause.
Cybersecurity Staff Augmentation
If a self-assessment indicates that your organization needs a cybersecurity audit and update, there’s no need to hire a new cybersecurity department. Cybersecurity staff augmentation can provide you support when you need it. This setup protects your budget, helps you meet compliance standards, and further reinforces your security procedures.
In Conclusion
Organizations doing business in Canada and managing consumer information are accountable to the PIPEDA. To help your organization become compliant, making use of the PIPEDA self-assessment tools above will help you see whether your privacy policy is sufficient.
For further guidance and customized cybersecurity care, reach out to one of our agents are RSI Security. We specialize in helping businesses of every size achieve and maintain third party compliance standards, including those defined by the PIPEDA.