Learn about the Personal Information Protection and Electronic Documents Act (PIPEDA), what type of data it covers, and how to comply with the act's new data breach notification rules, in Data Protection 101, our series on the fundamentals of information security.
A Definition of PIPEDA (Personal Information Protection and Electronic Documents Act)
The Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal privacy law for private-sector organizations in Canada.
The act originally went into law on April 13, 2000 to foster trust in electronic commerce but has expanded since to include industries like banking, broadcasting, and the health sector.
The purpose of the law – per legislation - is to “govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.”
Under PIPEDA, similar to the European Union's General Data Protection Regulation (GDPR) - individuals have the right to access personal information held by an organization, know who is responsible for collecting it, why it's being collected, and to challenge its accuracy. An important aspect of PIPEDA is the fact that it's designed to keep Canada's notification requirements consistent with the country's trading partners, namely the EU.
"PIPEDA is currently deemed to provide an essentially equivalent level of privacy protection to the EU, which allows for the free flow of personal information from the EU to Canadian organizations," a regulatory impact analysis statement published by the Canadian government in 2017 read.
The Act requires organizations to obtain an individual's consent – either express, implied or deemed - to collect, use, or disclose information beyond what's required to fulfill the explicitly specified, and legitimate purposes.
Who is Subject to PIPEDA Compliance?
Any private enterprise in Canada that collects personal information during the course of commercial activity is subject to PIPEDA.
Canada's Office of the Privacy Commissioner has a helpful tool organizations can use to determine what organization to contact if they have a privacy issue. It also has a fact sheet on privacy legislation designed to assist enterprises as well.
Who isn't Subject to PIPEDA Compliance?
According to the Office of the Privacy Commissioner of Canada PIPEDA may not necessarily apply to provincially-regulated organizations and activities that have adopted similar privacy legislation. Provinces like Quebec, British Columbia, Alberta – and to a lesser extent Ontario, New Brunswick, Nova Scotia, Newfoundland and Labrador, have similar legislation already on the books.
Alberta and British Columbia for example, have a similar rule, the Personal Information Protection Act (PIPA) that mirrors PIPEDA in some ways.
The Act still applies to interprovincial and international transactions by organizations that flow across borders, along with federally regulated organizations like banks, telecommunications and transportation companies. The Act, even in provinces with similar legislation on the books, does apply to personal information collected, used, or disclosed by federally regulated organizations -- federal works, undertakings or businesses (FWUBs) including:
- Radio and television stations
- Inter-provincial trucking
- Airports and airlines
- Navigation and shipping by water
- Telecommunication companies such as internet service providers, phone (cellular or land line companies), cable companies
- Railways, canals, pipelines, ferries, etc. that cross borders
What is covered?
Under PIPEDA personal information is any “information about an identifiable individual,” essentially any data obtained in the course of a commercial activity.
Under PIPEDA the following can be considered personal information:
- Age, name, ID numbers, income or financial information
- Race, national, or ethnic origin
- Marital status
- Blood type
- Medical, education or employment history
- Social insurance number or driver’s license.
- Opinions, evaluations, comments, social status, or disciplinary actions; and
- Employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs).
- Social insurance number or driver’s license.
What isn't covered?
- Personal information handled by federal government organizations listed under the Privacy Act
- Provincial or territorial governments and their agents
- Business contact information such as an employee’s name, title, business address, telephone number or email addresses that is collected, used or disclosed solely for the purpose of communicating with that person in relation to their employment or profession
- An individual's collection, use or disclosure of personal information strictly for personal purposes
- An organization's collection, use or disclosure of personal information solely for journalistic, artistic or literary purposes
What does the latest amendment to PIPEDA mean for data breach notification rules?
As of November 1, 2018, organizations subject to PIPEDA that experience a data breach need to determine whether the access or loss of personal information can cause a "risk of significant harm" to individuals.
The new provisions were approved back in 2015 as part of S-4, the nation's Digital Privacy Act.
Under the new amendments, in order to comply with PIPEDA, organizations must:
- Report to the Privacy Commissioner of Canada breaches of security safeguards involving personal information that pose a real risk of significant harm to individuals
- Notify affected individuals about those breaches
- Notify any other organization that may be able to mitigate harm to affected individuals; and
- Track and keep records of all breaches for at least 24 months following the date it determined that a breach occurred
Using a PIPEDA breach report form, organizations must inform individuals “as soon as feasible after [its] determined that a breach of security safeguards involving a real risk of significant harm has occurred.”
The OPC defines harm as "bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property." It assesses "risk of significant harm" cas being associated with the following:
- The sensitivity of the personal information involved in the breach
- The probability that the personal information has been, is being or will be misused
- Any other prescribed factor.
PIPEDA defines a breach of security safeguards as “the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards that are referred to in clause 4.7 of Schedule 1 of PIPEDA, or from a failure to establish those safeguards.” For those interested in digging deeper, Clause 4.7 breaks these safeguards down further but on the whole its measures like passwords, encryption, and security that can prevent unauthorized access, disclosure, copying, use, or modification.
PIPEDA doesn't identify specific safeguards orgs can use but does stress that organizations need to ensure personal information is adequately protected. The penalty for failing to report a data breach - or separately, failing to keep or destroy data breach records - could result in a fine of up to $100,000.
In order to comply with PIPEDA's new rules, it's important for organizations to have data protection safeguards in place to detect and respond to potential security incidents and to ensure personal information in under their control.
Canada's Office of the Privacy Commissioner has a helpful tool organizations can use to determine what organization to contact if they have a privacy issue. It also has a fact sheet on privacy legislation designed to assist enterprises as well. The office also has a self-assessment tool to help medium and large organizations form good privacy governance and management.