The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada’s federal privacy protection law. Because key changes were made to PIPEDA recently, it has received increased attention. Here we help you understand those changes, discuss the history of PIPEDA, and explain the law’s overall impact on your business.
What is PIPEDA?
Enacted as a federal law in 2000, PIPEDA oversees how private sector organizations collect, use and disclose personal information in the course of commercial business. The purpose of PIPEDA is to balance organizations’ need to collect, use or disclose personal information for reasonable and appropriate purposes with the individual’s right to privacy. Under PIPEDA, organizations are required to:
- Obtain consent when collecting, using and disclosing personal information
- Collect information by fair and lawful means
- Have clear, understandable and readily available personal information policies
- Supply an individual with a product or a service even if they refuse consent to the collection, use or disclosure of their personal information—unless that information is essential to the transaction
The Office of the Privacy Commissioner (OPC) oversees PIPEDA compliance. Individuals who believe their personal information has been mishandled may complain to the Privacy Commissioner, and the OPC may assess fines of up to $100,000 if an organization is found to be non-compliant.
Who Does PIPEDA Apply To?
PIPEDA applies to all federally regulated private sector organizations. While Québec, Alberta and British Columbia have their own provincial privacy legislation, any personal information that moves across provincial borders is subject to PIPEDA regulations. Thus, if your company serves clients outside your province, it must comply with PIPEDA.
Recent Changes to PIPEDA
On June 18, 2015, the Digital Privacy Act (DPA) was passed by the Parliament of Canada, amending PIPEDA. The most significant amendments affect how organizations record and report privacy breaches:
- Records of all data breaches must be retained indefinitely
- Organizations must notify all affected individuals and the Privacy Commissioner “if it is reasonable in the circumstances to believe the breach creates a real risk of significant harm to the individual”
Failure to comply with these amendments may result in fines and/or criminal penalties.
The Future of PIPEDA
There is no timeline for when the aforementioned amendments to PIPEDA will go into effect. In the meantime, it would be prudent to prepare your organization. Take time to assess how confidential personal information is currently stored, managed and disposed of within your company. Make sure strict chain of custody processes are followed when accessing, retrieving and distributing files. Review all information retention requirements to prevent sensitive records from being destroyed too early or stored too long.
Always seek professional guidance from a company specializing in records and information management services to help keep your company PIPEDA compliant.
FileBank provides records and information management solutions to businesses throughout Canada. For more information, please contact us by phone or complete the form on this page.