PIPEDA compliance with RecordPoint

The Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal directive for data privacy in Canada.

It became law on April 13, 2000, and governs how private sector organizations who do business in Canada protect consumer data. Companies who collect and process consumer data in Canada must comply with this legislation, and with RecordPoint, they can be confident that their data governance and data privacy standards are in compliance.

See all regulations

What is PIPEDA?

The Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal law in Canada that governs how private sector organizations ensure the privacy of consumer data. It was passed on April 13, 2000, as part of an effort to build consumer trust in e-commerce. The law has since gone through several reviews, with the first one occurring in 2007.

PIPEDA applies to any private-sector organization that collects, uses, or discloses personal information in the course of a commercial activity throughout Canada. The law defines a commercial activity as any transaction, act, conduct, or regular course of conduct that is commercial in nature. This can mean selling goods and services, bartering, and/or the leasing of donor, membership, or other fundraising lists.

As specified in PIPEDA, personal information refers to data about an identifiable individual, not including the name, title or business address, or telephone number of an employee of an organization.

PIPEDA empowers individuals with the right to:

  • Know why a company or organization collects, uses, or discloses their personal information
  • Expect the reasonable and appropriate collection, use, and disclosure of their personal information as well as not to use the information for any purpose other than that to which they have consented
  • Know who is responsible for protecting their personal information
  • Expect organizations to protect their personal information by taking appropriate security measures
  • Expect that their personal information is accurate, complete, and up-to-date within the organization's databases
  • Obtain access to their personal information and ask for corrections if necessary
  • Complain about how an organization handles their personal information if they feel their privacy rights have not been respected

PIPEDA requires a few things from organizations, including:

  • Receiving consent from consumers before collecting data
  • Supplying an individual with a product or service even if they refuse to have their data collected, unless the data collection is necessary for the transaction
  • Collecting information by fair and lawful means
  • Having personal information policies that are clear, understandable, and readily available

Some businesses are exempt from PIPEDA – companies who comply with provincial legislation in Alberta, British Columbia, and Quebec don't have to follow PIPEDA guidelines because those provincial laws are similar in scope to the law.

How can businesses comply with PIPEDA?

Businesses required to comply with PIPEDA need to follow the 10 fair information principles.

Accountability

First, identify all the non-public information (NPI) you have and where it lives – cataloging and storing your data in in a secure and scalable, cloud-based data inventory makes it easier to monitor. Next, evaluate your security measures – banks must have a system in place for protecting NPI to ensure GLBA compliance.

Identifying purposes

Organizations need to identify the purpose for which personal information is being collected. This purpose must then be documented prior to determining what personal data actually needs to be collected, and must be communicated to customers at, or before the time of collection.

Consent

Organizations can only collect, use, or disclose personal information with the knowledge and consent of the individual. This is inline with GDPR rules in the European Union. Law enforcement investigations are one of the few exceptions, and in that case personal data can only be disclosed to another organization.

Limiting collection

Organizations should limit the personal information they collect only to what is needed for the purposes identified by the organization. Minimizing the amount of data required can limit the possible exposure in case of a data breach. This collection must be done through fair and lawful means.

Limits on use, disclosure, and retention

Unless otherwise consented to, or where required by law, personal information can only be used or disclosed for the purposes for which it was collected. Organizations can only keep personal information as long as required to serve the defined purpose.

Accuracy

Organizations need to keep the personal information they have as accurate, complete, and up-to-date as possible in order to properly satisfy the purposes for which it is to be used. Inaccurate information could place organizations in breach of PIPEDA.

Safeguards

Organizations must use security tools to protect the personal data in their possession. These protective tools need to be appropriate for the sensitivity of the information. Think role-based access controls and data governance that help with determining policies around accessing consumer data.

Openness

Creating personal information management policies isn't enough –  these policies and practices need to be transparent and readily available for anyone to review. These policies should also be easy to understand for the average person without complicated legalese.

Individual access

Upon request, an individual must be informed of the existence, use, and disclosure of their personal information and be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

Challenging compliance

An individual shall be able to challenge an organization’s compliance with the above principles. Their challenge should be addressed to the person accountable for the organization’s compliance with PIPEDA, usually their Chief Privacy Officer.

How RecordPoint can help

RecordPoint is designed with key features designed to assist with PIPEDA compliance. These features include:

Data minimization

Proactively dispose of data you don’t need with custom retention policies that make minimization effortless.

AI classification

Use AI to classify data instantly, so you know exactly where sensitive data lives and how to protect it.

Compliance task automation

Automate compliance tasks with AI and machine learning models trained on your data.

Penalties for noncompliance

Penalties for noncompliance with PIPEDA come in three forms:

  • Financial penalties – Business and organizations can be fined up to $100,000 CAD for each violation of PIPEDA. The Office of the Privacy Commissioner (OPC) is aggressive in investigating complaints about violations, with Home Depot of Canada recently being found to violate PIPEDA by sharing data with a service provider without explicit consent.
  • Class-action lawsuits or other legal actions –The OPC is limited in terms of what penalties it can assess, but organizations in violation of PIPEDA may be referred to the Attorney General of Canada for additional legal action. As a result of this referral, organizations could be audited, forced into compliance agreements, or be forced to disclose company behavior to the public among other punishments.
  • Reputation impact – OPC publicly denouncing a business for violating PIPEDA could result in a loss of consumer trust. This may result in fewer consumers doing business with that organization and result in knock-on financial impacts.

Frequently asked questions

Have another question? Looking for more details? Reach out to our friendly team who will be happy to help.

Contact us
What kind of data is covered under PIPEDA?
What businesses are covered under PIPEDA?