What is PIPEDA?
PIPEDA, the acronym for Personal Information Protection and Electronic Documents Act, is a federal legislation that governs how companies manage, collect, use and disclose third party personal information gathered in Canada in the course of a commercial transaction. Many business organizations are subject to PIPEDA and must obtain an individual's consent when collecting and using their personal data information. It is important for organizations collecting personal data, even with consent of the individual, to keep in mind that personal information collected can only be used for the purposes for which it was collected.
Who Does PIPEDA Apply To?
Generally, PIPEDA applies to private organizations that manage, collect, use and disclose third party personal information gathered in Canada in the course of a commercial transaction. Also, any organization that conducts business and operates in Canada and manages, collects, uses and discloses third party personal information that cross provincial borders, such as Ontario into Alberta, in the course of commercial activities are subject to PIPEDA. Additionally, federally regulated organizations that conduct and operate business in Canada are also always subject to PIPEDA.
What Is Considered Personal Information?
Personal information can include any of the following information that pertains to a person's factual information:
age, name, ID numbers, income, ethnic origin, or blood type;
opinions, evaluations, comments, social status, or disciplinary actions; and
employees’ personal information, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant.
What Is Not Covered by PIPEDA?
There are very few scenarios where PIPEDA would not apply to an organization managing, collecting and using personal data information. These include:
Personal information handled by federal government organizations;
Provincial or territorial governments and their agents;
Business contact information such as an employee’s name, title, business address, telephone number or email addresses that is collected, used or disclosed solely for the purpose of communicating with that person in relation to their employment or profession;
An individual's collection, use or disclosure of personal information strictly for personal purposes (e.g. personal greeting card list);
Also, unless engaging in commercial activities, PIPEDA generally does not apply to charity or not-for-profit organizations, or political organizations.
An Organization's Responsibility
As previously stated, any private organization that manages, collects, uses and discloses third party personal information gathered in Canada in the course of a commercial transaction is subject to PIPEDA. Organizations are required to follow "10 fair principles" to ensure that any personal information collected is being protected.
The principles are:
Accountability
Identifying Purposes
Consent
Limiting Collection
Limiting Use, Disclosure, and Retention
Accuracy
Safeguards
Openness
Individual Access
Challenging Compliance