If your company does business in Canada, it needs to be familiar with the Personal Information Protection and Electronic Documents Act (PIPEDA). The country’s federal privacy act covers all private-sector organizations that collect, disclose, or use personal information. The law not only applies to companies in Canada but also to international businesses.
Even though this act is similar in design and scope to the General Data Protection Regulation (GDPR) enacted by the European Union, there is still some confusion on who is subject to PIPEDA compliance and what personal information is protected.
In this article, you will learn what the Personal Information Protection and Electronic Documents Act is and how it could affect your business. You’ll also find information on PIPEDA compliance requirements and what steps to take if a data breach occurs.
What is PIPEDA
PIPEDA was passed into law by Canada’s legislation in 2000 to promote trust between consumers and e-commerce sites. The act was expanded to include the health, banking, and broadcast industries.
The primary purpose of the act is to regulate the collection, disclosure, and use of personal data while also recognizing consumers’ right to privacy. In effect, the law only allows organizations to use, disclose, or gather data for purposes that the consumer believes is appropriate. For example, personal data is collected, used, and shared by the health industry. Still, this information will not be used by a financial institution to decide the status of a loan application.
Under PIPEDA, consumers also have the right to request their personal information from an organization. Individuals can see who is collecting, why the data is being gathered, and challenge inaccuracies if any are discovered.
The Personal Information Protection and Electronic Documents Act covers the requirements an organization must meet, while also protecting consumer privacy rights.
Under PIPEDA organizations that do business in Canada are required to,
- Before an organization can collect, disclose, or use personal data, the individual must give consent.
- The information must be collected by methods that are fair and legal.
- A company’s data policies must be stated and easy for consumers to understand.
- If a consumer declines to give permission for a company to use their data, they cannot be denied goods or services.
PIPEDA gives consumers specific rights that organizations doing business in Canada must follow. These rights include,
- Consumers can ask why their personally identifiable information (PII) is being collected.
- Know who is responsible for protecting stored PII.
- Expect that organizations will only use the data for purposes that consumers consented to, and the information will be disclosed or used appropriately.
- Expect that the data is being protected from cybersecurity breaches.
- Expect the business to keep consumer data up-to-date and accurate.
- Consumers have access to their PII and have inaccuracies corrected when necessary.
- File a complaint against a company that mishandles consumer information.
While businesses have requirements to meet under PIPEDA, it is also the responsibility of the consumer to ensure their information is accurate.
Understanding PIPEDA Implementation
Canada’s consumer information protection act has expanded since being passed into law. Understanding the various changes that have occurred will make it easier for your company to know what is expected of them for PIPEDA compliance.
In 2000, PIPEDA focused on e-commerce and was passed into law to build trust between consumers and online marketplaces. By 2001, the bill included industries that are regulated by the federal government, including the banking, broadcast, and airline sectors. The health industry was added in 2002 and was expanded again in 2004 to include any enterprise that collects personal information.
Only organizations located in Canadian provinces with similar consumer privacy acts in place are exempt from PIPEDA regulations.
In 2008, seven provinces were exempt from PIPEDA. These are,
- Quebec – The Protection of Personal Information in the Private Sector Act
- British Columbia – The Personal Information Protection Act
- Alberta – The Personal Information Protection Act
- Ontario – The Personal Health Information Protection Act
- New Brunswick – The Personal Health Information Privacy and Access Act
- Newfoundland and Labrador – The Personal Health Information Act
- Nova Scotia – The Personal Health Information Act
American organizations that do business in these provinces that are PIPEDA compliant will also meet the standards set down by the various laws that regulate PPI.
PIPEDA Compliance Standards
There are ten principles organizations must meet for PIPEDA compliance. These objective information standards are designed to guide businesses and help them meet compliance regulations.
- Accountability – The business is responsible for all PII it gathers and will have an individual or team in place that are solely responsible for ensuring the company is compliant with PIPEDA, including all third-party vendors accountable for processing the information.
- Identify Reasons for Data Collection – When consumer information is being collected, or before it occurs, organizations must disclose the reason why the data is gathered.
- Consumer Consent is Required – Businesses must have consumer consent before collecting any data and inform individuals how the information will be used.
- Limit Data Collection – Information is collected according to the law and limited to the reasons identified by the organization.
- Data Use, Retention, and Disclosure are Limited – The data collected will only be used for the purposes disclosed and given consent to use by the consumer. The data will be retained only as long as needed. Once the reason it was gathered no longer exists, the data is destroyed.
- Accurate Information – All gathered, stored, and used data must be valid and updated when required.
- Protected from Data Breaches – The appropriate cybersecurity measures must be taken to protect PII from breaches.
- Clear Data Collection Policies and Practices – How a business manages and protects personal information must be available to consumers and their policies outlined.
- Consumer Access – If a consumer requests information on how data is used, a business must provide full disclosure. An individual can also contest the accuracy of the data obtained and have the organization amend or update it.
- Compliance can be Challenged – If at any time an individual feels that an organization is not taking the appropriate steps to protect data or if it is being used for purposes other than those consented to, consumers can address any compliance concerns.
These standards make up the framework for the Personal Information Protection and Electronic Documents Act. All companies in Canada, along with international organizations, must adhere to the guidelines. The only exception are businesses that fall under the compliance standards required by other Canadian provinces.
What Is Personally Identifiable Information
PIPEDA covers a broad range of personal information. The act defines it as any information that can be used individually or combined with other data to identify an individual. Along with a person’s name, age, race, social security, and driver’s license numbers, all financial and health information is protected. Other types of data that fall under PIPEDA are,
- Marital status
- Education history
- Employment history
- Posted opinions
- Evaluations by and about the individual
- Posted comments
- Social status
- Any disciplinary actions
- Credit and loan reports
- Intentions stated by the individual
- Information on any disputes between the person and a merchant
Not all information is covered under PIPEDA, and this is just as important for organizations to know. You don’t want to waste time and money protecting data that doesn’t need to be secure. This includes,
- Any information that does not pertain specifically to an individual. Postal zip codes are not covered since it can apply to anyone living in that area.
- Business information
- Anonymous data is not included as long as it cannot be linked back to a specific person.
- Persons in public servant roles are not entirely protected. Information that includes their title, position, and legal name is considered open data.
- Information on government offices.
- PII managed by an entity associated with the federal government is not covered under PIPEDA but is protected by Canada’s Privacy Act.
When you’re trying to decide if data needs to be protected, a good rule to follow is if the information will identify the individual, then it is covered by PIPEDA and needs to be secure.
One of the difficulties organizations face when trying to meet PIPEDA compliance standards is the broadness of the framework. It does let companies know what is protected and what rights consumers have, but there is little to no guidance when it comes to implementing cybersecurity practices.
Organizations that have implemented NIST cybersecurity practices usually only have to keep the cybersecurity protocols current with the latest threats. If your company hasn’t needed to, the NIST framework will help ensure that the business is PIPEDA compliant.
Some of the aspects included in NIST are,
- Data encryption
- Controlling physical and virtual access points
- Incident response planning
- Performing regular risk assessments
- Digital forensics
- Having information security policies in place
Businesses are also required to have protocols in place to prevent common vector and cyber attacks that can include ransomware, phishing, malware, and computer worms, along with email spoofing and domain hijacking.
If the company uses third-party vendors, it is the business’s responsibility to ensure that protected data is secure on its end.
Data Breach Requirements Under PIPEDA
In 2018, all organizations that comply with PIPEDA standards are required to notify affected persons and the Office of the Privacy Commissioner of Canada (OPC) of any data leaks or breaches that involve PII.
Once the Office of the Privacy Commissioner of Canada and the affected individuals have been notified, the organization will be required under the Personal Information Protection and Electronic Documents Act to keep detailed records of the cybersecurity breach or data leak for two years. During this period, the company also needs to keep records of the safeguards implemented to prevent further breaches.
These records are required to be kept, even if the data leak wasn’t reported to OPC. The only time a company would not report a data leak is if it was determined that only a small amount of information was compromised and it cannot be used to identify an individual.
The best advice is to always report data breaches to the Office of the Privacy Commissioner of Canada, regardless of the scope and size. If a cybersecurity breach happens again you will have the necessary documentation to assert that the company is being proactive at protecting personally identifiable information.
Any company that is doing business in Canada needs to be familiar with the country’s data protection laws and this means being compliant with PIPEDA.
Even though the law does not provide a specific framework for implementing the necessary cybersecurity measures, following the guidelines laid out by NIST will help.
If you have any questions about PIPEDA or need guidance setting up your company’s cybersecurity protocols, the experts at RSI Security are here to help.