PIPEDA: A Practical Guide, Part 1

By Gericke Potgieter
Gericke Potgieter

Gericke is responsible for marketing systems management and data analytics at EPI-USE Labs. He is a qualified ISO 27001 Lead Implementer and has an MA in Socio-informatics (Decision Making Theory). He has spent most of his career in IT, strategy consulting and software development.

Written on Jul 11, 2019 6:23:35 PM

8 minute read


Governments worldwide are prioritizing data privacy and personal information security, and have invested significant resources in creating data privacy laws and amending existing ones. The EU’s GDPR (General Data Protection Regulation) was created to protect the individual citizens of the European Union (EU) and the European Economic Area (EEA). However, its influence has extended beyond its intended borders, making it a more global law and leading to updated data security and privacy legislation in other countries.

Canada treats privacy, personal information security, and data protection with the utmost importance. It created privacy and information security laws over 40 years ago. In this guide, we touch on how these laws affect businesses throughout the country. The most important laws for compliance include the Privacy Act, Access to Information Act, Freedom of Information Act and PIPEDA. This guide focuses on PIPEDA, and considers how it aligns with GDPR, and why it is important to data security and privacy. 

About the Canadian privacy law landscape

The history of privacy laws in Canada

Canadian privacy laws timeline

The four privacy statutes

Today, there are four privacy statutes that govern the private sector. These are collectively known as the Canadian Privacy Statutes. These laws oversee all data processing activities undertaken by private and federal organizations. 

The four privacy statutes are:

  1. The federal Personal Information Protection and Electronic Documents Act (PIPEDA)
  2. Alberta’s Personal Information Protection Act (PIPA Alberta)
  3. British Columbia’s Personal Information Protection Act (PIPA BC)
  4. Québec’s Act Respecting the Protection of Personal Information in the Private Sector (Québec Privacy Act)

PIPEDA forms a significant portion of Canadian privacy law and aims to bring about a better balance between the commercial sector’s needs regarding the collection of personal information, and the individual’s right to privacy. It provides the consumer and general public with more security over their personal information and data, in line with everyone’s right to privacy. 

The central theme of PIPEDA is that of consent, and differentiates between explicit and implied consent. It requires that consumers and the public must be made aware of how the data will be used. Transparency about the use of the information is as crucial as consent.

PIPEDA is a federal private sector law that governs data privacy at an international and inter-provincial level. It is applied to the personal information held by all federally regulated businesses. The law applies to any business or organization that collects personal information, including banks, airlines, telecoms companies, railways and internet service providers. 

PIPEDA covers most of Canada, except commercial organizations in those provinces noted above, which have laws considered ‘substantially similar’ to this law. 

The ten principles of PIPEDA

PIPEDA has ten principles (source: Office of the Privacy Commissioner of Canada):

Principle

Description

Accountability

An organization is responsible for personal information under its control. It must appoint someone to be accountable for its compliance with these fair information principles.

Identifying Purposes

The purposes for which the personal information is being collected must be identified by the organization before or at the time of collection.

Consent

The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.

Limiting Collection

The collection of personal information must be limited to that which is needed for the purposes identified by the organization. Information must be collected by fair and lawful means.

Limiting Use, Disclosure, and Retention

Unless the individual consents otherwise or it is required by law, personal information can only be used or disclosed for the purposes for which it was collected. Personal information must only be kept as long as required to serve those purposes.

Accuracy

Personal information must be as accurate, complete, and up-to-date as possible in order to properly satisfy the purposes for which it is to be used.

Safeguards

Personal information must be protected by appropriate security relative to the sensitivity of the information.

Openness

An organization must make detailed information about its policies and practices relating to the management of personal information publicly and readily available.

Individual Access

Upon request, an individual must be informed of the existence, use, and disclosure of their personal information and be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

Challenging Compliance

An individual shall be able to challenge an organization’s compliance with the above principles. Their challenge should be addressed to the person accountable for the organization’s compliance with PIPEDA, usually their Chief Privacy Officer.

 

How does PIPEDA apply with respect to other legislation?

Industry Canada published the Process for the Determination of ‘Substantially Similar’ Provincial Legislation by the Governor in Council on 3 August 2002. This explains the basis on which provincial laws can be considered similar enough to forego PIPEDA application. Laws are considered ‘substantially similar’ when, broadly speaking, they include clauses that reflect PIPEDA’s ten principles.

Not all organizations are subject to PIPEDA (for example, charities or political parties that are not engaging in commercial activities and not making a profit). Other privacy clauses are often included in the laws that regulate these organizations. 

Québec, British Columbia, and Alberta have implemented laws that are considered ‘substantially similar’ to PIPEDA, broadly matching the PIPEDA’s ten principles. A key difference between the regional laws and PIPEDA is that the former do not apply to federal organizations. Instead, these organizations are all subject to PIPEDA.

There are also specific health privacy laws that apply in the provinces of Ontario, Nova Scotia, New Brunswick, Newfoundland, and Labrador. These are also found to be ‘substantially similar’ to PIPEDA.  This means that health care organizations may not need to comply.

Laws on data protection in Canada


The specific laws exempt from PIPEDA are:

What is considered ‘personal information’?

The terms ‘personal data’ and ‘personal information’ can be used interchangeably. These terms are defined under the Canadian Privacy Statutes as information about an identifiable individual. Information is regarded as identifiable if it makes it possible for a user to identify an individual, or where the information combined with additional data makes it possible for users to identify the individual.

Personal information may include a person’s name, age, address, race, ethnicity, nationality, religion, marital status, education, and employment history. Sensitive information – such as financial history, DNA and identifying numbers (for example, identity number, social security number, driver’s license, passport number) – is also considered personal information.

Information that cannot be linked back to an individual is not regarded as personal information and is not protected by PIPEDA. This includes information about a business, organization or the government; information captured but rendered anonymous; and some personal information about public servants.

How does PIPEDA differ from GDPR?

Canadian privacy laws and GDPR overlap to some degree, but compliance with PIPEDA does not guarantee compliance with GDPR. To remain compliant with GDPR, Canadian organizations must make a few additional changes. 

Some of the key differences are:

Topic

PIPEDA

GDPR

Legal basis

PIPEDA (with a few exceptions) requires consent as the legal basis for processing.

GDPR provides other legal bases for data processing such as legitimate interest.

Consent

Consent may be explicit or implied, with no age of consent indicated.

Consent is explicit with the age of 13 indicated as the minimum age of consent.

Data portability

PIPEDA does not provide a right for data portability.

GDPR provides a right for data portability.

Right to erasure

PIPEDA does not indicate an explicit right to erasure, but implies it through a statement on retention.

GDPR provides an explicit right to erasure.

Employee data

PIPEDA only applies to federal organizations.

GDPR fully regulates the processing of employee data.

Fines and Penalties

PIPEDA indicates fines of up to $100 000 for organizations that retaliate against whistleblowers, where organizations do not retain data that has been requested by an individual, and if an organization obstructs investigations by the Privacy Commissioner.

GDPR can levy fines of up to €20 million or 4% of company turnover (whichever is highest) subject to circumstances and the nature of the contravention.

 

Conclusion

While Canada’s privacy laws compare well with GDPR, there are likely to be some updates in the next few years as the country tries to achieve better alignment with GDPR’s requirements.

The biggest challenge with data privacy legislation is trying to accommodate the requirements of different laws. When we add in the complexity of SAP systems, compliance becomes a risk that organizations struggle to mitigate.

In the next installment of this series, we will discuss the ten principles of PIPEDA and their practical implications.

FIND OUT HOW OUR DATA PRIVACY SUITE HELPS YOU COMPLY

Disclaimer

The purpose of this guide is educational only. It is not intended to offer legal advice and it makes no claims or guarantees with regards to efficacy, accuracy or compliance with the law discussed.

Please consult a legal advisor before implementing any part of a PIPEDA (Personal Information Protection and Electronic Documents Act) compliance project.  EPI-USE Labs will not take any responsibility for misinterpretation or incorrect application of practical measures towards compliance resulting from the use of this guide.

References: 

https://en.wikipedia.org/wiki/Canadian_privacy_law

https://iclg.com/practice-areas/data-protection-laws-and-regulations/canada

https://securityboulevard.com/2018/11/canadas-new-data-privacy-law-now-in-effect/

https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda_brief/

https://www.fasken.com/en/knowledge/2018/10/practical-guidance-for-complying-with-canadas-new-privacy-breach-rules/

https://iapp.org/news/a/matchup-canadas-pipeda-and-the-gdpr/

Topics: GDPR data security Data Privacy GDPR compliance GDPR-type legislation personal data SAP GDPR PIPEDA Data privacy compliance Canada data privacy legislation


Add a comment