Personal Information Protection and Electronic Documents
Act (PIPEDA)
With the January 1, 2004 compliance deadline looming, more
and more businesses and organizations are scrambling to meet
the regulations. Federally regulated industries (banks, radio
stations, air transport, railways, etc.) in Canada have had
to be compliant with the regulation since January 2001, while
all other organizations have until January 1, 2004 to comply.
First enacted into Canadian law April 2000, PIPEDA places
limits and control on organizations with respect to the collection,
use and disclosure of personal information. This personal
information includes information about an identifiable individual
that is recorded in any manner (paper, electronic or medical).
Personal information does not include any information that
would be found on a business card.
Under PIPEDA, individuals have substantial rights with respect
to personal information an organization collects, uses and
discloses about them. Individuals now have the right to ask
an organization to review any information that they store
about themselves. Individuals may ask for a log or audit trail
as to how this information has been used. This includes information
that is collected on websites for purposes of sending newsletters
and other information or accessing 'locked' information (chat
forums, secure log-in sites, etc.).
Organizations will have restrictions placed on them regarding
disclosure of intent to use personal data. Breaches of PIPEDA
or for non-compliance can range up to $100,000 in fines depending
upon the severity of breach or non-compliance.
As a business in Canada, your compliance plan can vary from
a locked filing cabinet with an access log to digital asset
management, it depends on the amount of sensitive data, the
access rate of the data and how that data is used. Many companies
have been following PIPEDA compliance unconsciously as part
of their common sense business ethics, but getting all company
personnel to think of customer privacy uppermost is the biggest
challenge.
PIPEDA principles were developed by businesses, consumer
organizations, government and others along with the Canadian
Standards Association to create a voluntary national standard
for personal information based on 10 principles. These principles
have now be incorporated into federal law.
These 10 principles include:
1. Accountability - an organization is responsible
for the personal information under its control and who has
access to this information.
2. Identifying purposes - an organization must state
why this information is being used and for what purpose this
information will be used.
3. Consent - knowledge and consent of an individual
are required for the collection, use or disclosure of personal
information.
4. Limiting collection - collection is limited to that
which is necessary for the purposed identified by the organization.
5. Limiting use, disclosure and retention - no personal
information shall be used or disclosed for any reason other
than that which it was collected for except with the consent
of the individual or required by law. Also the information
shall only be kept as long as is necessary for the fulfillment
of those purposes.
6. Accuracy - This personal information collected should
be as accurate, complete and up to date as is necessary to
complete the purpose identified.
7. Safeguards - Personal information is to be protected
by security safeguards appropriate to the sensitivity of the
information collected.
8. Openness - The organization must make available
to the individual specific information about their policies
and practices relating to the management of personal information.
9. Individual access - upon request an individual shall
be informed of the existence, use and disclosure of his/her
personal information and given access to that information.
10. Challenging Compliance - an individual shall be
able to address a challenge concerning compliance.
Setting up your company compliance plan involves how sensitive
personal information is collected, audited, stored, monitored
and retrieved. No matter how big or how small your business
you will be expected to comply.
PIPEDA standardizes the way customer personal information
is handled. With the implementation of this act PIPEDA helps
companies that are committed to protecting consumer privacy.
By respecting the privacy of your customers you build consumer
confidence in your company, protect the integrity of your
organization, increase customer loyalty and improve your bottom
line.
For more information on PIPEDA, check out these sites:
Personal
Information Protection and Electronics Document Act
Privacy
Commissioner of Canada
Canadian
Consumers Information Gateway
Privacy
for Business
To learn more or
book your free PIPEDA consultation contact Nautalex.
Print this
page
Mouse over links in the body of this page for definitions and
descriptions of terms.