The Personal Information Protection and Electronic Documents Act
The Personal Information Protection and Electronic Documents Act (PIPEDA) is one of the most significant pieces of legislation affecting the way that PRAXIS carries out its information processing activities. Significant fines are applicable if a breach is deemed to have occurred under the PIPEDA, which is designed to protect the personal data of citizens of Canada. It is PRAXIS’ policy to ensure that our compliance with the PIPEDA and other relevant legislation (like the California Consumer Privacy Act (CCPA) which follows the same principles as the PIPEDA) is clear and demonstrable at all times.
What is Personal Information?
Under PIPEDA, personal information includes any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form, such as:
- age, name, ID numbers, income, ethnic origin, or blood type;
- opinions, evaluations, comments, social status, or disciplinary actions; and
- employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs)
Fair Information Principles Relating to Protecting Personal Data
Businesses must follow the 10 fair information principles to protect personal information, which are set out in Schedule 1 of PIPEDA.
By following these principles, you will contribute to building trust in your business and in the digital economy.
The principles are:
- Accountability: An organization is responsible for personal information under its control. It must appoint someone to be accountable for its compliance with these fair information principles.
- Identifying Purposes: The purposes for which the personal information is being collected must be identified by the organization before or at the time of collection.
- Consent: The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
- Limiting Collection: The collection of personal information must be limited to that which is needed for the purposes identified by the organization. Information must be collected by fair and lawful means.
- Limiting Use, Disclosure and Retention: Unless the individual consents otherwise or it is required by law, personal information can only be used or disclosed for the purposes for which it was collected. Personal information must only be kept as long as required to serve those purposes.
- Accuracy: Personal information must be as accurate, complete, and up to date as possible in order to properly satisfy the purposes for which it is to be used.
- Safeguards: Personal information must be protected by appropriate security relative to the sensitivity of the information.
- Openness: An organization must make detailed information about its policies and practices relating to the management of personal information publicly and readily available.
- Individual Access: Upon request, an individual must be informed of the existence, use, and disclosure of their personal information and be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
- Challenging Compliance: An individual shall be able to challenge an organization’s compliance with the above principles. Their challenge should be addressed to the person accountable for the organization’s compliance with PIPEDA, usually their Chief Privacy Officer. PRAXIS must ensure that it complies with all these principles both in the processing it currently carries out and as part of the introduction of new methods of processing such as new IT systems.
Rights of the Individual
The individual also has rights under the PIPEDA. These consist of:
- The right to be provide consent to the collection, use or disclosure of personal information
- The right of access to one’s personal information
- The right to challenge the accuracy of one’s personal information
Organizations are generally required to obtain meaningful consent for the collection, use and disclosure of personal information. Individuals must understand what they are consenting to. It is only considered valid if it is reasonable to expect that your customers will understand the nature, purpose and consequences of the collection, use or disclosure of their personal information. Consent can only be required for collections, uses or disclosures that are necessary to fulfil an explicitly specified and legitimate purpose. For non-integral collections, uses and disclosures, individuals must be given a choice. The form of consent must take into account the sensitivity of the personal information. The way you seek consent will depend on the circumstances and type of information you are collecting.
Individuals can withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice, and you must inform individuals of the implications of withdrawal.
Privacy by Design
PRAXIS has adopted the principle of privacy by design and will ensure that the definition and planning of all new or significantly changed systems that collect, or process personal information will be subject to due consideration of privacy issues, including the completion of one or more privacy (also known as data protection) impact assessments.
The privacy impact assessment will include:
- Consideration of how personal information will be processed and for what purposes
- Assessment of whether the proposed processing of personal information is both necessary and proportionate to the purpose(s)
- Assessment of the risks to individuals in processing the personal information
- What controls are necessary to address the identified risks and demonstrate compliance with legislation
- Use of techniques such as data minimization and pseudonymization will be considered where applicable and appropriate.
It is PRAXIS’ policy to be fair and proportionate when considering the actions to be taken to inform affected parties regarding breaches of personal data. In line with the PIPEDA, where a breach is known to have occurred which is likely to result in a risk to the rights and freedoms of individuals, the Office of the Privacy Commissioner of Canada (OPC) will be informed as soon as feasibly possible. This will be managed in accordance with our Information Security Incident Response Procedure which sets out the overall process of handling information security incidents.
Under the PIPEDA, OPC does not prosecute offences or issue fines. What the OPC can do is refer information relating to the possible commission of an offence to the Attorney General of Canada, who would be responsible for any ultimate prosecution.
Addressing Compliance to the PIPEDA
The following actions are undertaken to ensure that PRAXIS complies at all times with the provisions of the PIPEDA:
- The legal basis for processing personal information is clear and unambiguous
- All staff involved in handling personal information understand their responsibilities for following good data protection practice
- Training in data protection has been provided
- Rules regarding consent are followed
- Routes are available to individuals wishing to exercise their rights regarding personal information and such enquiries are handled effectively
- Regular reviews of procedures involving personal information are carried out
- Privacy by design is adopted for all new or changed systems and processes
These actions will be reviewed during management reviews.