Personal Information & Data Privacy in Canada: PIPEDA 101
What is PIPEDA?
In Canada, most legal obligations pertaining to cybersecurity can be found in one of the privacy laws. The principal law is the Personal Information Protection and Electronic Documents Act (PIPEDA), which became law on April 13th, 2000 and came into full effect on January 1st, 2004 after a two-stage implementation. The legislation not only covers the ways data should be safely stored in the digital world, but also how organizations must collect, use, and disclose personal information in the course of commercial activities.
We don’t want to ignore CPPA or Bill C-11, also known as the Digital Charter Implementation Act, 2020, which would repeal parts of the Personal Information Protection and Electronic Documents Act (PIPEDA) and replace them with a new legislative regime governing the collection, use, and disclosure of personal information for commercial activity in Canada. As the core of this regime, the Consumer Privacy (CPPA) Protection Act would be enacted to maintain, modernize, and extend existing rules and to impose new rules on private sector organizations for the protection of personal information.
Bill C-11 or CPPA is not yet law as of the date of this blog post. It must be passed by both Houses of Parliament and receive Royal Assent. It is still in the legislative process for second reading and debate.
If passed, Bill C-11 would replace the Personal Information Protection and Electronic Documents Act (PIPEDA), which regulates how the private sector handles consumer data, by introducing the CPPA.
Ok, back to the current and active legislation PIPEDA.
PIPEDA applies to private-sector organizations across Canada that collect, use or disclose personal information in the course of commercial activity.
The law defines a commercial activity as any particular transaction, act, or conduct, or any regular course of conduct that is of a commercial character, including the selling, bartering, or leasing of donor, membership, or other fundraising lists.
Alberta, British Columbia, and Quebec have their own private-sector privacy laws that have been deemed substantially similar to PIPEDA. Organizations subject to a substantially similar provincial privacy law are generally exempt from PIPEDA with respect to the collection, use, or disclosure of personal information that occurs within that province.
Ontario, New Brunswick, Nova Scotia, Newfoundland, and Labrador have also adopted substantially similar legislation regarding the collection, use, and disclosure of personal health information.
All businesses that operate in Canada and handle personal information that crosses provincial or national borders during commercial activities are subject to PIPEDA, regardless of the province or territory in which they are based (including provinces with substantially similar legislation).
If you are not sure if your business is subject to PIPEDA, please consult “Find the right organization to contact about a privacy issue” and the Office of the Privacy Commissioner of Canada’s website.
What is PII Under the Personal Information & Data Privacy in Canada?
Under PIPEDA, ‘personal information’ or Personally Identifiable Information (PII) is defined as information about an identifiable individual such as age, name, marital status, educational level, e-mail addresses, ID numbers, income, ethnic origin, blood types, employee files, credit records, loan records, medical records, opinions, evaluations, purchases, height, weight, fingerprints, voiceprints, and so on.
The objective behind the law is to balance the need for organizations to use data for legitimate business purposes, and individuals’ right to privacy. Simultaneously, by incorporating and making the provisions of the Canadian Standard Association’s Model Code mandatory for the Protection of Personal Information, the government aimed to reassure the European Union, which declared the law adequate in the early 2000s.
Does PIPEDA apply to your organization?
PIPEDA applies to:
- Federal works, undertakings or businesses, no matter where they are located (e.g. banks, radio and television stations, inter-provincial trucking, airports and airlines, railways, telecommunication companies such as internet service providers, etc.)
- Organizations engaged in commercial activities that involve inter-provincial or international personal information flows – in this case, the organization has to comply with PIPEDA for all transactions pertaining to these flows.
- Organizations operating in provinces that do not have a substantially similar private-sector privacy law. The Commissioner has declared that British Columbia, Alberta, Quebec, and, in matters relating to health care, Ontario, have substantially similar legislation. As a consequence, companies operating within these provinces (or within the health sector in Ontario) would obey provincial legislations, except for transactions involving inter-provincial or international personal information flows.
- Organizations in the Northwest Territories, Yukon, and Nunavut
If your company operates in more than one province, you may have to comply with more than one statute. For instance, if your organization operates in British Columbia and Alberta, you will have to comply with both statutes. In addition, if you are exchanging data between your two locations or with a customer located in a different province, you will have to obey PIPEDA for this exchange. Examples include selling a mailing list from one province to another or sending customer data to a loyalty program in another jurisdiction.
3 Facts About PIPEDA
- According to s. 29, PIPEDA must be reviewed every five years by the committee of the House of Commons designed for that purpose.
This means that your cyber security obligations may be altered to reflect new technologies and threats. Compliance requires a proactive attitude and an information security framework that is constantly redesigned based on new legal developments. Flexibility and awareness is key to evolve your cybersecurity to stated requirements.
- Digital Privacy Act
The Digital Privacy Act (formerly known as Bill S-4), received Royal Assent in June 2015 and amends PIPEDA in significant ways. The changes pertaining to breaches of security safeguards (data breaches) are still to come into force, once the necessary regulations are put in place.
- The Privacy Commissioner can now:
- enter into compliance agreements to ensure the application of PIPEDA.
- make public any information that comes to his knowledge in the performance or exercise of his duties or powers under the Act, if it is in the public interest.
- The creation of data breach notification provisions and recordkeeping.
- The Privacy Commissioner can now:
- Reasonable cybersecurity
The concept of ‘reasonableness’ is prominent across PIPEDA and organizations are required to perform many contextual analyses to determine whether their practices are compliant. For instance, the Safeguard principle states that an organization must adopt security safeguards that are appropriate for the sensitivity of the personal information held.
What future for PIPEDA?
Experts are still debating whether PIPEDA will continue to meet the new European standards of the General Data Protection Legislation, which went into effect on May 25, 2018. Many believe that the US-EU Privacy Shield should “mark a new height for Canadian Regulators to reach”.
It used to be that the meaning of personally identifiable information (PII) from a legal standpoint was clear — data that can distinguish the identity of an individual. By contrast, the standard for mere PI was lower because there was so much more of it; if PI is a galaxy, PII was the solar system. However, CCPA, California’s privacy law, and the EU’s General Data Protection Regulation GDPR have shifted the definition to include additional types of data that were once fairly benign. The CCPA enshrines personal data rights for consumers, a concept that GDPR first brought into play.
The GDPR states: “Personal data should be as broadly interpreted as possible,” which includes all data associated with an individual, which we call “contextual” information. This includes any information that can “directly or indirectly” identify a person, including real names and screen names, identification numbers, birth date, location data, network addresses, device IDs, and even characteristics that describe the “physical, physiological, genetic, mental, commercial, cultural, or social identity of a person.” This conceivably could include any piece of information about a person that isn’t anonymized.
Businesses will need to identify the types of information they collect and whether they fit into one or more of the 11 data categories broadly defined within the law. If they are collecting PII from customers in the United States, they may also need to determine if that information falls under the CCPA’s list of exemptions. These include organizations that collect personal information governed by other statutes, such as HIPAA, GLBA, or the Drivers Privacy Act, to name a few. Partial exemptions also exist for information collected about employees, as well as in certain B2B transactions.
Implementing a Privacy Operations Framework
A Privacy Ops framework is where you can bring all your legal, compliance, IT, and security teams together in one place. You can use it to manage your vendors, data, DSRs, compliance workflows, consent information, and notifications from a single dashboard with full visibility.
Ahmad Alomari, Principal Cyber Security Engineer at SecureOps has been working overtime to help clients identify PII, add security to databases that store the sensitive data, map systems, and most challenging, create systems for how organizations will deal with the requests from prospects and consumers that CCPA encourages for example. In Ahmad’s video, he suggests “it’s not just changing privacy terms or using technology to better protect customer data, there are significant changes that must be made to databases, CRM systems, and other systems and applications that organizations may not be aware of at this point in the legislation’s lifecycle.”
There are numerous privacy frameworks. Some are established by independent organizations such as the International Organization for Standardization (ISO), which established the ISO 29100 privacy framework. Others are established by standard-setting bodies related to specific countries or governments. For example, the United States National Institute of Standards and Technology (NIST) established a NIST Privacy Framework. Other privacy frameworks are created by private companies, trade associations, or organizations.
Conclusion – An Organization’s Responsibilities Under PIPEDA
Businesses must follow the 10 fair information principles to protect personal information, which is set out in Schedule 1 of PIPEDA.
By following these principles, you will contribute to building trust in your business and in the digital economy.
The principles are:
- Identifying Purposes
- Limiting Collection
- Limiting Use, Disclosure, and Retention
- Individual Access
- Challenging Compliance
To Learn More About PIPEDA and How to Comply with the Legislation Please Call Us – as Always We Are Happy to Help – 1 (888) 982-0678