We came across some useful information from Privacy Horizon and supplementary sources and have combined it into the summary below on the topic of the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada. Please refer to the original sources below for more detailed information.
The Personal Information Protection and Electronic Documents Act ("PIPEDA") is Canadian federal privacy legislation implemented in 2004. It governs how private sector organizations collect, use and disclose personal information in commercial business. The purpose of this act is "to establish an era in which technology increasingly facilitates the circulation and exchange of information, rules to govern the collection, use and disclosure of personal information in a manner that recognizes that right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances."
- What is Personal Information?
- Overview of PIPEDA
- Where does PIPEDA apply?
- Using PIPEDA to Protect Personal Information
Supplementary Contact Organizations:
- For PIPEDA and Personal Health Information: Ontario Ministry of Agriculture, Food, and Rural Affairs
- For PIPEDA applications: Office of the Privacy Commissioner of Canada
We are interested in generating some discussion on this topic in our Healthcare Privacy Community. Please visit this space to join the conversation.
What is Personal Information?
PIPEDA was put in place to protect the personal information of every individual. Personal information includes information such as:
- Age, name, income, ethnic origin, religion, and blood type;
- Opinions, evaluation, comments, social status or disciplinary actions;
- Credit records, employment history, and medical records.
This does not include things like name, title, business address, or telephone number of an employee of an organization.
Overview of PIPEDA
PIPEDA is comprised of different legislation to guide businesses and individuals on how to properly approach and protect privacy in Canada. The ten fair information principles of PIPEDA include:
- Accountability: An organization is responsible for the personal information under its control and shall designate an individual who is responsible for the organization's compliance. This Chief Privacy Officer will understand relevant policies and procedures and deal with complaints.
- Identify Purposes: The purposes for which the information is collected should be identified on or at the time of collection. Organizations should develop "purpose statements."
- Consent: The knowledge and consent of the individual are required for collection, use or disclosure of personal information in a commercial activity. Consent can be expressed or implied. The Privacy Commissioner recommends expressed consent in most instances.
- Limiting Collection: Information is to be collected for specific purposes and can only be used for those purposes. Information cannot be collected by misleading or deceiving the individuals about the purpose for which it is intended.
- Limiting Use, Disclosure, and Retention of Personal Information: Organizations can only use, disclose and retain personal information for the specific purposes it was collected for and must not retain it longer than needed for those specific purposes.
- Accuracy: Personal information shall be accurate, complete and up to date.
- Safeguards: The organization must protect personal information against loss or theft as well as unauthorized access, disclosure, copying use or modification. The level of security should be appropriate to the sensitivity of the information. People with access should sign confidentiality agreements.
- Openness: The organization's privacy policies must be readily available to anyone.
- Individual Access: Individuals have the right to know what personal information about them has been collected, how it is being used, to whom it has been disclosed, and have the ability to challenge the accuracy and completeness of the information and to have any errors corrected.
- Challenging Compliance: Individuals should be able to address any challenges concerning compliance to the organization's Chief Privacy Officer.1
The Office of the Privacy Commissioner of Canada oversees compliance with PIPEDA.
Where Does PIPEDA Apply?
PIPEDA is a legislation that pertains to private enterprises across Canada. There are exceptions to this, however, in provinces that have put legislation in place that is "substantially similar" to PIPEDA. This is namely in Quebec, British Columbia, and Alberta. Ontario, New Brunswick, and Newfoundland and Labrador have also implemented privacy legislation specific to health care that is "substantially similar" to PIPEDA and therefore takes precedence.
PIPEDA legislation generally applies to:
- Private-sector organizations carrying out business in the Canadian provinces and territories but not handling employee information;
- Private-sector organizations carrying out business in Canada when the personal information they collect, use or disclose crosses provincial or national borders but not their handling of employee information; and
- Federally regulated organizations carrying on commercial activity in Canada, such as a bank, airline, telephone or broadcasting company, etc., including their handling of health information and employee information.
Using PIPEDA to Protect Personal Information
PIPEDA puts several systems in place to protect every individual's personal information. The most important option is to conduct a Privacy Impact Assessment ("PIA"). A PIA is a structured risk management methodology that helps organizations to identify and manage the privacy risks associated with new information systems and programs.
If a grievance has already occurred, the first option is to always try to work it out internally, contacting the department or agency for which there is a problem. The second is to file a complaint to the Privacy Commissioner of Canada. A full list of Access to Information and Privacy ("ATIP") Coordinators can be found here.
- Country-Specific Guidelines for Conducting a Privacy Impact Assessment
- Privacy Impact Assessment Methodology
- Tool: Privacy Impact Assessment Threshold Assessment
- Tool: Planning for Success: Privacy Impact Assessment Guide
- Tool: A Guide for Individuals Protecting Your Privacy
PIPEDA is the most recent and inclusive bill passed regarding privacy rights in Canada. The fair information principles outlined are designed to instruct individuals and organizations on how to protect personal information. For more information on Healthcare Privacy Legislation in Canada please see the following: