The Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal privacy legislation for private-sector organizations in Canada.
PIPEDA became law in April 13, 2000 to promote trust and data privacy in ecommerce and has since expanded to include industries like banking, broadcasting and the health sector.
The purpose of the law is "to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for the purposes that a reasonable person would consider appropriate in the circumstances."
Like the European Union's General Data Protection Regulation (GDPR), under PIPEDA individuals have the right to access personal information held by an organization, know who is responsible for collecting it, understand why it's being collected and to challenge its accuracy.
This is an important aspect of PIPEDA as it reassures the EU that Canadian privacy law is adequately protecting the sensitive information of European citizens. Another important aspect of PIPEDA is the fact it is designed to keep Canada's data breach notification requirement consistent with the country's trading partners, including the EU.
As of a regulatory impact analysis by the Canadian government in 2017, PIPEDA is currently deemed to provide an essentially equivalent level of privacy protection to the EU, which allows for the free flow of personal information from the EU to Canadian organizations.
An overview of PIPEDA
PIPEDA can be split into two parts, the rights of the individual and the requirements of organizations.
PIPEDA gives individuals the rights to:
- Ask why an organization is collecting, using or disclosing their personally identifiable information (PII)
- Expect organizations to only collect, use or disclose personal data reasonably and appropriately
- Expect organizations will not use collected information for any purpose other than that which they have consented
- Know who in the organization is responsible for protecting their personal information
- Expect organizations to protect their personal information by taking appropriate security measures, e.g. automated vendor risk scoring
- Expect organizations to keep personal information accurate, complete and up-to-date
- Obtain access to their personal information and ask for corrections if necessary
- Complain about how an organization handles their personal information if they feel their privacy rights have not been respected
PIPEDA then requires organizations to:
- Obtain an individual's consent to collect, use or disclose personal information
- Supply an individual with a product or a service even if they refuse consent for the collection, use or disclosure of your personal information unless the information is essential to the transaction
- Collect information by fair and lawful means
- Have personal information policies that are clear, understandable and readily available
How has PIPEDA been implemented?
The implementation of PIPEDA has occurred in three stages.
In 2001, the law applied to federally regulated industries (such as airlines, banking and broadcasting). In 2002, the law's reach was expanded to include the health sector. By 2004, any organization collecting personal information in the course of commercial activity was covered by PIPEDA, except in provinces that had substantially similar privacy laws.
As of October 208, these seven provinces have privacy laws that have been deemed substantially similar to PIPEDA:
- An Act Respecting the Protection of Personal Information in the Private Sector (Quebec)
- The Personal Information Protection Act (British Columbia)
- The Personal Information Protection Act (Alberta)
- The Personal Health Information Protection Act (Ontario)
- The Personal Health Information Privacy and Access Act (New Brunswick)
- The Personal Health Information Act (Newfoundland and Labrador)
- The Personal Health Information Act (Nova Scotia)
What are the ten principles of PIPEDA?
The ten principles of PIPEDA, referred to as the fair information principles, represent the foundation of PIPEDA and are detailed in Schedule 1 of the Act:
- Accountability: An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance including information that has been transferred to a third-party vendor for processing.
- Identifying Purposes: The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.
- Consent: The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
- Limiting Collection: The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.
- Limiting Use, Disclosure and Retention: Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfilment of those purposes.
- Accuracy: Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.
- Safeguards: Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
- Openness: An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.
- Individual Access: Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
- Challenging Compliance: An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization’s compliance.
Who is subject to PIPEDA compliance?
Any private organization in Canada that collects personal information during the course of a commercial activity is subject to PIPEDA. PIPEDA also applies to federal works, undertaking and business in respect to employee personal information.
If you are unsure if your organization is subject to PIPEDA use the “Find the right organization to contact about a privacy issue” tool.
Who isn't subject to PIPEDA compliance?
The major exception to PIPEDA compliance are organizations that collect, use or disclose personal information entirely within provinces that have their own privacy laws, which have been deemed substantially similar to federal law. In such cases, the provincial law will apply instead of PIPEDA, although PIPEDA will apply to federal works, undertakings or businesses, and to interprovincial or international transfers of personal information.
The other exception are federal government organizations listed under the Privacy Act, provincial or territorial governments and their agents, organization's collecting, using or disclosing personal information solely for journalistic, artistic or literary purposes, as well as individuals collecting, using or disclosing of personal information strictly for personal purposes.
What is personal information under PIPEDA?
Under PIPEDA personal information is defined as information about an identifiable individual. It is information that on its own or combined with other pieces of data, can identify you as an individual such as:
- ID number
- Financial information
- Ethnic origin
- Marital status
- Blood type
- Medical history
- Educational history
- Employment history
- Social insurance number
- Driver's license
- Social status
- Disciplinary actions
- Employee files
- Credit records
- Loan records
- Medical records and other protected health information (PHI)
- Existence of a dispute between a consumer and a merchant
What isn't personal information under PIPEDA?
What is generally not considered personal information can include:
- Information that is not about an individual, because the connection with a person is too weak or far-removed (for example, a postal code on its own which covers a wide area with many homes).
- Information about an organization such as a business.
- Information that has been rendered anonymous, as long as it is not possible to link that data back to an identifiable person.
- Certain information about public servants such as their name, position and title.
- A person’s business contact information such as an employee's name, title, business address, telephone number or email address that an organization collects, uses or discloses for the sole purpose of communicating with that person in relation to their employment, business or profession.
- Government information. Occasionally people contact the government for access to government information. This is different from personal information.
- Personal information handled by federal government organizations listed under the Privacy Act.
What are the data breach notification requirements of PIPEDA?
As of November 1, 2018, organizations subject to PIPEDA must notify the Office of the Privacy Commissioner of Canada (OPC) and affected individuals if they become aware of any data breaches or data leaks involving personal information that pose a significant risk of harm to individuals. The OPC defines harm as "bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property."
The Office of the Privacy Commissioner of Canada also suggests organizations take into consideration the sensitivity of the personal information collected and involved in the breach, as well as the probability that the personal information could be misused. It is also important to consider whether the breach was the result of a cyber attack, as well as whether the data was encrypted or anonymized.
These new provisions were approved back in 2015 as part of S-4, the nation's Digital Privacy Act.
The provisions require organizations to keep records of all data breaches of security safeguards for two years, regardless of whether the breaches were reported to the Office of the Privacy Commissioner of Canada.
Under PIPEDA a breach of security safeguards is defined as "the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards that are referred to in clause 4.7 of Schedule 1 of PIPEDA, or from a failure to establish those safeguards."
Unlike the NIST Cybersecurity Framework, PIPEDA doesn't provide detailed guidance on how to protect personal information, however there are some common things to consider such as:
- Access control
- The principle of least privilege
- Risk assessment methodologies
- Incident response planning
- Biometric authentication
- Defense in depth
- Digital forensics
- IP attribution
- Information security policies
- Cybersecurity risk assessments
- Domain hijacking
- Man-in-the-middle attacks
- Corporate espionage
- Email spoofing
- Computer worms
- Social engineering
- Spear phishing
Overall, companies need to develop a framework to assess cybersecurity risk and invest in ways to prevent data breaches. This means developing robust information risk management, vendor risk management, information security, network security and data security processes and programs. To prevent data leaks, invest a tool to continuously scan for data exposures and leaked credentials.
Recall that PIPEDA applies to third-party vendors too, outsourcing does not limit your liability. This means organizations need to invest in automating vendor risk management, developing a third-party risk management framework, creating a vendor management policy and using vendor risk assessment questionnaire templates to truly understand third-party risk and fourth-party risk. And look for vendors with SOC 2 assurance.
Failure to comply with PIPEDA's data breach notification and record keeping requirements can result in fines of up to CAD$100,000. However, the true cost of a data breach is closer to $3.92 million, according to a study from Ponemon Institute and IBM Security.
This is why more organizations are investing in vendor risk management and cyber security ratings tools that can help them automatically monitor and assess first, third and fourth-party security postures.
These tools can reduce the risk of third-party data breaches and exponentially increase the number of third-party vendors one person can monitor.
How UpGuard can prevent data breaches and data leaks
Companies like Intercontinental Exchange, Taylor Fry, The New York Stock Exchange, IAG, First State Super, Akamai, Morningstar and NASA use UpGuard to protect their data, prevent data breaches, monitor for vulnerabilities and avoid malware.
UpGuard Vendor Risk can minimize the amount of time your organization spends managing third-party relationships by automating vendor questionnaires and continuously monitoring your vendors' security posture over time while benchmarking them against their industry.
Each day, our platform scores your vendors with a Cyber Security Rating out of 950. We'll alert you if their score drops.
UpGuard BreachSight can help monitor for DMARC, combat typosquatting, prevent data breaches and data leaks, avoiding regulatory fines and protecting your customer's trust through cyber security ratings and continuous exposure detection.
If you'd like to see how your organization stacks up, get your free Cyber Security Rating.