PIPEDA: How Personal Information in Canada is Protected

Find out how PIPEDA protects personal information in Canada. We’ll go over how it works, which organizations should comply, and what to do if there’s a breach
PIPEDA: How Personal Information in Canada is Protected

With a few taps of our fingers, transactions that would have been difficult are made easier, thanks to technology. But the question is – how secure is our personal data when it’s collected, whether offline or online?

To address this concern, data privacy laws are there to institutionalize certain protections, and one of these laws is the PIPEDA.

What is PIPEDA and what is its purpose?

The Personal Information Protection and Electronic Documents Act (PIPEDA) is the Canadian federal law on the use of personal information and electronic documents by businesses.

Recent Articles

Charmaine Toms, general counsel for MNP, on her philosophy of leadership
Second phase of climate risk assessment consultation for financial institutions launched
Federal government launches new data hub to enhance internal trade

It is just one of several privacy laws in Canada that dictate how private-sector organizations must handle personal information during their commercial activity.

Purpose of the law

PIPEDA has 2 goals:

  1. as to personal information: the law establishes the rules on the collection, use, and disclosure of personal information. This is to protect every Canadian’s right to privacy while allowing businesses to handle personal information in a reasonable manner.
  2. as to electronic documents: the law aims to establish rules on electronic alternatives to paper documents, whenever used by government agencies and as required by federal laws.

What is protected under PIPEDA?

PIPEDA ensures the protection of personal information when used by organizations during their commercial activities.

Personal information

Under the law, personal information is defined as “information about an identifiable individual”. Personal information may also mean one’s factual or subjective information whether it is recorded or not.

Some examples of personal information include:

  • personal data: name, age, social status, marital status, religion, ID numbers, ethnic origin, blood type, medical records, education history
  • employment details: employee files, records of disputes due to a consumer-merchant relationship, disciplinary actions
  • financial records: income, credit records, loan records
  • personal views: personal opinions, evaluations, comments

This list is not exclusive and may include other forms of personal information, depending on the circumstances.

What organizations must comply with PIPEDA?

The PIPEDA only applies to private-sector organizations that handle personal information in the course of a commercial activity. These organizations include federally regulated organizations, or those which are doing federal work, undertaking, or business.

Commercial activity

It doesn’t automatically mean that private-sector organizations have to comply with this law. The law only covers personal information that is collected, used, and disclosed for commercial activities.

As defined by this law, “commercial activities” means any activity in the regular course of conduct of an organization that is commercial in character. This also includes the selling, bartering, or leasing of donor, membership or other fundraising lists.

Watch this video to know more about a business’s responsibility when complying with PIPEDA:

For more on PIPEDA, reach out to a data privacy lawyer in your area. Businesses and organizations based in Montréal may contact one of the Lexpert-Ranked best data privacy lawyers in Québec.

Exempted organizations

The law also provides for certain organizations that are exempt from PIPEDA’s coverage:

  • organizations not engaged in commercial activities: this may include not-for-profit, charity groups, and political parties and associations. However, when these organizations engage in commercial activities, they will be covered by this law.
  • covered by provincial laws: the Governor in Council may exempt an organization, or a class of organizations, if they fall under provincial laws similar to PIPEDA. These organizations may include municipalities, universities, schools, and hospitals.

Provinces with their own private-sector privacy laws are Alberta, British Columbia, and Québec.

Meanwhile, Ontario, New Brunswick, Nova Scotia, and Newfoundland and Labrador have also enacted privacy laws, but only regarding personal health information.

However, regardless of the province or territory where the organization is located, PIPEDA will still apply to personal information if it crosses provincial or national borders.

What are the requirements for PIPEDA?

To comply with the law, businesses and organizations that are covered by PIPEDA must:

  1. Obtain prior consent before any information is collected, used, or disclosed. Generally, consent must be explicit. Consent for collection is different from consent for usage and disclosure.
  2. When requested, businesses and organizations must respond and allow the person to see what personal information about them is handled by the business or organization.
  3. Ensure that personal information collected and handled by the business or organization is protected from any third-party intrusions.

What happens when PIPEDA is violated?

When businesses violate the PIPEDA’s provisions on the protection of personal information, individuals should:

  1. Raise the concern with the organization’s Privacy Officer: every organization will have a designated Privacy Officer. This Officer will handle complaints from individuals who think that their personal information has been mishandled. If the complainant is unsatisfied with the results of their complaint, they can contact the Office of the Privacy Commissioner of Canada (OPC).
  2. File a complaint with the OPC: the OPC receives complaints about businesses that violate privacy laws in the country. Submission of complaints can be done online or through mail. Complaints will trigger an investigation by the OPC, which must release its Report of Findings within 1 year of the filing of the complaint.
  3. File a case in court: complainants can also file a case in court for the breach of PIPEDA:
  • if the complainant is unsatisfied with the results of the OPC’s investigation; or
  • if the OPC referred to such an action in its Report of Findings

If a case is filed in the court, it may order the erring organization to:

  • correct its practices in compliance with the law
  • publish a notice of the actions it took – or will be taken – to comply with the law
  • award damages to the complainant

Consult with the best data privacy lawyers in Canada as ranked by Lexpert to know more about PIPEDA.