FAQs

About PIPEDA:

• What are my obligations under the Personal Information Protection and Electronic Documents Act?
  
  
• Does PIPEDA apply to my business?
  
  
• Does PIPEDA apply to only to e-commerce or on-line business?
  
  
• What is personal information? How do I know if information is sensitive?
  
  
• Which applies to my business - federal or provincial legislation? What if my organization operates in several provinces?
  
  
• Does PIPEDA apply to information collected prior to January 1, 2004?
  
  
• What other countries have similar legislation?
  
  

How PIPEDA will affect collection of personal information:

• What are the different forms of consent? How do I get consent from an individual?
  
  
• What is a purpose statement?
  
  
• How much information should I collect from an individual?
  
  
• Do I have to retain information and for how long? How do I "destroy" information?
  
  

How PIPEDA will affect your business practices:

• What is safeguarding? What sort of security do I need?
  
  
• How will the legislation impact any international transactions I may engage in?
  
  
• Can I outsource the processing of personal information to an outside company?
  
  
• Does PIPEDA affect employee privacy and human resources?
  
  

How to implement a privacy policy program:

• How do I begin implementing changes to my business in order to comply?
  
  
• Who in my organization is responsible?
  
  
• What does my frontline staff need to know?
  
  
• How should my organization deal with complaints?
  
  
• Who complains to the Privacy Commissioner?
  
  
• What can the Privacy Commissioner do? What are the potential consequences for non-compliance?
  
  

About PIPEDA:

What are my obligations under the Personal Information Protection and Electronic Documents Act?

The PIPEDA establishes a set of ten principles that organizations must follow when collecting, using and disclosing personal information in the course of commercial activity. The Principles are as follows:

• Accountability: An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization's compliance with the following principles.
  
  
• Identifying Purposes: The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.
  
  
• Consent: The knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except where inappropriate.
  
  
• Limiting Collection: The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.
  
  
• Limiting Use, Disclosure, and Retention: Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.
  
  
• Accuracy: Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.
  
  
• Safeguards: Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
  
  
• Openness: An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.
  
  
• Individual Access: Upon request, an individual shall be informed of the existence, use and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
  
  
• Challenging Compliance: An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization's compliance.
  
  

For more information on your obligations as a business owner/manager please see the Privacy Commissioner of Canada Guide for Business.

Does PIPEDA apply to my business?

The PIPEDA governs "organizations," a term that includes persons, associations, partnerships and trade unions. The term "persons" includes corporations as well as individuals. Organizations are generally subject to the Act to the extent that they collect, use or disclose of personal information in the course of commercial activity. In this regard, even small businesses must establish a privacy program.

Because the nature, size and complexity of operations varies from one organization to another, a privacy compliance regime should be tailored to meet the needs of the individual business. In fact, the PIPEDA is flexible and allows organizations to tailor its principles to their own activities and to the nature of the information in their custody.

Organizations not engaged in commercial activity are not covered by the Act. However, those engaged in the selling, leasing or bartering of donor, membership or other fundraising lists are engaged in commercial activity and are covered by the Act.

Does PIPEDA apply to only to e-commerce or on-line business?

PIPEDA applies to traditional, paper-based business activities as well as on-line activities and e-commerce transactions. All businesses must comply with the legislation. Any organization collecting, using or disclosing personal information in the course of commercial activity is subject to the Act.

What is personal information? How do I know if information is sensitive?

The PIPEDA sets a number of rules to which organizations must adhere when collecting, using or disclosing personal information in the course of commercial activity.

PIPEDA defines personal information as "information about an identifiable individual" that includes any personal information, recorded or not, in any form, including digital or paper format. For example, the following would be considered personal information:

• Name, address, telephone number, gender;
  
  
• Identification numbers, income or blood type;
  
  
• Credit records, loan records, existence of a dispute between a consumer and a merchant, and intentions to acquire goods or services.
  
  

Under PIPEDA, personal information does not include the name, business title, business address, business telephone of any employee, i.e. information on a business card.

The legislation also protects personal information of a sensitive nature, which may include health or medical history, racial or ethnic origin, political opinions, religious beliefs, trade union membership and sexual orientation.

Which applies to my business - federal or provincial legislation? What if my organization operates in several provinces?

Since January 1, 2004, the PIPEDA applies to organizations across the Canadian marketplace. In provinces or territories where a privacy law has been deemed substantially similar to the PIPEDA, organizations will be subject to the provincial privacy law as opposed to the PIPEDA. However, should any personal information cross a border as part of a commercial transaction in which your organization is involved, you will be expected to abide by the PIPEDA. A business could ensure that it is compliant with either law by complying with the higher standard.

"The best practice we can recommend is that any business operating in more than one jurisdiction should meet the highest standard that doesn't impair their business operations."
- Jeffrey A Kaufman, National Co-director of the Privacy and Information Protection Practice Group of Fasken, Martineau, Dumoulin LLP.

Does PIPEDA apply to information collected prior to January 1, 2004?

Personal information that your company has collected during the course of its commercial activities is subject to the Act. Since it has already been collected, you don't need to recollect it. However, in order to continue to use or disclose this information, you now require consent. For example, some organizations have informed all their customers what they do with their information, to whom it is disclosed and given customers the option to object to these ongoing uses or disclosures.

What other countries have similar legislation?

Member countries of the European Union (EU) have comprehensive privacy laws. Non-European countries that have recently enacted data protection legislation applicable to its private sector include Hong Kong, New Zealand and Taiwan. The United States currently does not have federal legislation protecting personal information in the marketplace. To find out more about international privacy laws and Commissions, visit the International Access and Privacy Laws and Commissions (Department of Justice Canada).

How PIPEDA will affect collection of personal information:

What are the different forms of consent? How do I get consent from an individual?

The PIPEDA requires knowledge and consent by an individual for the collection, use or disclosure of his or her personal information in the course of commercial activity.

An organization is expected to inform its clients of the purpose for which their information is being collected. This information must be provided in a manner that can be reasonably understood by the clients.

It must also obtain their consent prior to disclosing their personal information to a third party or using it for a different purpose.

The form of consent sought by organizations may vary, depending on the sensitivity of the information. An organization should generally seek express consent when the information is likely to be considered sensitive. Implied consent would generally be appropriate when the information is less sensitive. Consent can be given in different ways, for example: a form, a check-off box, orally, etc.

What is a purpose statement?

An organization should inform individuals why it is collecting information about them; for example, opening an account, verifying creditworthiness or processing a subscription.

The Act states that "the identified purposes should be specified at or before the time of collection to the individual from whom the personal information is collected. Depending upon the way in which the information is collected, this can be done orally or in writing. An application form, for example, may give notice of the purposes."

How much information should I collect from an individual?

Personal information should not be collected indiscriminately. You should limit the amount and type of the information gathered to what is necessary for the identified purposes.

By reducing the amount of information gathered, you can lower the cost of collecting, storing, retaining and ultimately archiving data. Collecting less information also reduces the risk of inappropriate uses and disclosures.

Do I have to retain information and for how long? How do I "destroy" information?

Organizations may retain personal information only for as long as they require for the purpose it was collected. They should also ensure that it is securely disposed of when no longer required.

For more information on how to safeguard information, please see the Canadian e-Business Initiative's Online E-Security and Privacy Guide.

How PIPEDA will affect your business practices:

What is safeguarding? What sort of security do I need?

PIPEDA dictates that personal information shall be protected by security safeguards appropriate to the sensitivity of the information.

It is your responsibility to protect personal information from loss or theft and to safeguard it from unauthorized access, disclosure, copying, use or modification. Personal information should be protected regardless of the format in which it is held.

Security safeguards can be the following:

• Physical measures (locked filing cabinets, restricting access to offices, alarm systems)
• Technological tools (passwords, encryption, firewalls, anonymizing software)
• Organizational controls (security clearances, limiting access on a "need-to-know" basis, staff training, confidentiality agreements)

The following factors should be considered in selecting appropriate safeguards:

• Sensitivity of the information
• Amount of information
• Extent of distribution
• Format of the information (electronic, paper, etc.)
• Type of storage

For more information on how to safeguard information, please see the Canadian e-Business Initiative's Online E-Security and Privacy Guide.

How does the legislation impact any international transactions I may engage in?

Since January 1, 2004, the PIPEDA applies to all collections, uses or disclosures of personal information that take place across an international or interprovincial border, in the course of commercial activity. Organizations are required to apply the principles of the PIPEDA to these transactions.

Certain countries or regions have implemented privacy laws that impose privacy protection rules on international trade. For example, the European Union Data Protection Directive, which applies to all EU member countries, allows personal data to be transferred only to those third countries that provide an adequate level of privacy protection. However, the European Commision has recognized Canada's PIPEDA as providing adequate protection for the transfer of personal information from the EU to Canada. This allows for the continued flow of personal information between the European Union (EU) and Canada.

Can I outsource the processing of personal information to an outside company?

The PIPEDA states that organizations are responsible for personal information that has been transferred to a third party for processing. The organization is responsible for using contractual or other means to ensure that a comparable level of privacy protection will be provided while the information is being processed by the third party.

Does PIPEDA affect employee privacy and human resources?

Under PIPEDA, personal information does not include the name, business title, business address, or business telephone of any employee, i.e. information on a business card. However, the PIPEDA does protect the personal information of employees of federally-regulated organizations.

How to implement a privacy policy program:

How do I begin implementing changes to my business in order to comply?

First, designate responsibility of a privacy policy program to someone in your organization. For more information, see "Who in my organization is responsible?".

Your organization should take inventory of all personal information handling practices, including ongoing activities and new initiatives. A checklist may help to create the inventory by asking questions such as: What personal information is collected? Why is it collected? How is it collected? What is it used for? Where is it kept? Who has access? What security measures are used? To whom is it disclosed? When is it disposed of?

After the inventory, develop privacy policies and procedures that address the ten privacy principles. This is a continuous, evolving process that encompasses several steps:

• define the information privacy principles;
  
  
• establish the specific objectives;
  
  
• identify and assess risks of not meeting the objectives;
  
  
• identify and implement appropriate control measures;
  
  
• assess the effectiveness of control measures.
  
  

For more information on how to safeguard information, please see the Canadian e-Business Initiative's Online E-Security and Privacy Guide.

Who in my organization is responsible?

The PIPEDA requires that the responsibility for information privacy be assigned to someone, stating that: "An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization's compliance with the following principles." For small businesses, that person would often be the owner/manager because they understand how the business works, and its systems and processes. It may be beneficial to have the owner/manager, or another responsible individual, determine whether the systems that store personal information have the capacity to track and record who has access to that information, for what purpose and under what conditions. In addition, the responsible individual should determine whether personal information has been disclosed to third parties for processing and how such third parties are contractually or otherwise obligated to protect privacy.

The responsible person should ensure that:

• privacy policies and procedures are in place, and communicated to employees;
  
  
• train staff to manage and protect the privacy of personal information; and
  
  
• develop appropriate documents for disseminating information on privacy policies and establish mechanisms for responding to enquiries and complaints.
  
  

Any organization with interprovincial or international operations may find it necessary to have privacy officers for each jurisdiction. In such cases, it will be important to determine how to facilitate centralized planning and compliance. In any event, the privacy officer should have sufficient authority or access to sufficient authority, to resolve privacy issues.

To promote openness and access, it is important to communicate the name and title of the privacy official, both internally and externally, for example, in published materials such as privacy brochures and on Web sites.

What does my frontline staff need to know?

Ensure employees are aware of their privacy responsibilities and are able to answer an individual's questions about the purpose of the information that is being collected. Employees should also be informed of your privacy policies and practices. They should also be able to provide individuals with the contact information of the person who is responsible for compliance with the PIPEDA within your organization.

How should my organization deal with complaints?

Your organization should develop simple and easily accessible complaint procedures. Inform complainants of avenues of recourse. They include your organization's own complaint procedures and those of the Privacy Commissioner of Canada.

Be sure to investigate all complaints received and take appropriate measures to correct information handling practices and policies, if the complaint is found to be justified.

• Record the date a complaint is received and the nature of the complaint (e.g. delays in responding to a request, incomplete or inaccurate responses, or improper collection, use, disclosure or retention).
  
  
• Acknowledge receipt of the complaint promptly.
  
  
• Contact the individual to clarify the complaint, if necessary.
  
  
• Assign the investigation to a person with the skills necessary to conduct it fairly and impartially.
  
  
• Give the investigator access to all relevant records, employees or others who handled the personal information or access request.
  
  
• Notify individuals of the outcome of investigations clearly and promptly, informing them of any relevant steps taken.
  
  
• Correct any inaccurate personal information or modify policies and procedures based on the outcome of complaints.
  
  

How well your organization handles an individual's complaint may help preserve or restore the individual's confidence in your organization.

Who complains to the Privacy Commissioner?

Complaints are confidential and can come from any source - a competitor, a client or an employee. Individuals will have the right to complain about any aspect of an organization's compliance with the provisions relating to the protection of personal information, and all complaints are investigated.

What can the Privacy Commissioner do? What are the potential consequences for non-compliance?

The Commissioner will have general powers to receive and investigate complaints, and to attempt dispute resolution. All complaints must be investigated.

A complaint may be disposed of in one of the following three ways:

• Not well founded: The is no evidence to lead the Commissioner to conclude that the organization violated the Act
  
  
• Well founded: The investigation revealed that the organization failed to respect a provision of the Act and the complaint was not resolved.
  
  
• Resolved: The investigation supports the complaint, but the organization agrees to take corrective action to remedy the situation. The complaint may also be resolved if it appears to be the result of miscommunication or misunderstanding. The complaint is also resolved if the complainant is satisfied with the Commissioner's efforts and the results.
  
  

The Privacy Commissioner may make public any information relating to the personal information management practices of an organization if the Commissioner considers that it is in the public interest to do so.