Home » Resource Category » Digital Essentials » Canadian Data Privacy Standards (PIPEDA)

Canadian Data Privacy Standards (PIPEDA)

Learn the ground rules for how private-sector organizations collect, use, and disclose personal information in the course of for-profit, commercial activities across Canada. Privacy is very important to Canadians and these standards help keep your clients protected.

Why This Matters

Personal Information Protection and Electronic Documents Act (PIPEDA) applies to private-sector organizations across Canada (Federal) that collect, use or disclose personal information in the course of a commercial activity.

There are a number of requirements to comply with the law. Organizations covered by PIPEDA must generally obtain an individual’s consent when they collect, use or disclose that individual’s personal information. People have the right to access their personal information held by an organization. They also have the right to challenge its accuracy.

Personal information can only be used for the purposes for which it was collected. If an organization is going to use it for another purpose, they must obtain consent again. Personal information must be protected by appropriate safeguards.

In BC, there is another law called Personal Information Protection Act PIPA which came into effect in January 2004. (PIPA), which applies to any private sector organization that collects, uses, and discloses the personal information of individuals in BC. PIPA also applies to any organization located within BC that collects, uses, or discloses personal information of any individual inside or outside of BC.

The main legislation related to data security in Canada is the Personal Information Protection and Electronic Documents Act (‘PIPEDA’), and then BC has its own set of regulations for the private sector under the Personal Information Protection Act, SBC 2003 c 63 (‘BC PIPA’).

This blog does a good job simplifying PIPEDA requirements, when they apply etc.

Resources

The Personal Information Protection and Electronics Document Act – The Office of the Privacy Commissioner of Canada

Data Protection in Canada: All You Need to Know about PIPEDA – Simplifying PIPEDA Requirements.

A Guide to B.C.’s Personal Information Protection Act – In depth resource on PIPA by the Office of the Privacy Commissioner of BC.

Canadian Data Residency and the Public Cloud: What You Need to Know – Cloud computing  has quickly become a top priority for the Canadian government sector (older article but provides a great explanation).

Recommendations

Most software, apps and plug-ins (the best ones we all use and want) do NOT YET meet Canadian data security requirements. It is best to inquire about this before purchasing software or using a product.

Things are improving (with some SaaS providers allowing data-stores to be chosen based on country of use, etc.) but practically speaking it is best to follow the guidelines that are referenced below.

The main issue with many platforms and tools out there not being compliant is with where data is stored. The concern with Canadian data being stored in other countries (like the US) is that it makes it impossible to protect according to our privacy and security standards.

For example, if Canadian data were to reside in the United States, the data could be accessed by the US government due to the Patriot Act. The Personal Information Protection Act in Canada, a law that protects data from being improperly disclosed, would not have legitimacy. Therefore, Canada (and other countries) have adopted data residency laws to prevent certain information from moving internationally, ultimately in order to protect government data from foreign intrusion. As an example from Google here is an article/whitepaper on this topic if you are interested in the details.

As far as what the BC regulations are, here are the key guidelines an organization should consider in order to be compliant with BC PIPA:

  • ​Be accountable for your information practices
  • Obtain consent
  • Follow the rules for collecting personal information
  • Follow the rules for using personal information
  • Follow the rules for disclosing personal information
  • Follow the special rules for employee personal information
  • Follow the special rules for business transactions
  • Follow the rules for giving individuals access to their own personal information
  • Follow the rules for correcting personal information
  • Follow the rules for accuracy, protection and retention of personal information

The BC PIPA guide above (in the resource section) will provide much more detailed info on these guidelines and how to comply with them.

Privacy Policy

A Privacy Policy is a statement on behalf of an organization or entity outlining how they use customer or client data that they collect online. It establishes the organization’s practices regarding collecting, using, disclosing, protecting, and managing personal information. Do you really need a privacy policy on your website?

Do I really need a Privacy Statement on my Website – (The answer is YES). This article helps in understanding privacy policies from a Canadian perspective and provides links to for you to create, update, or re-evaluate your own privacy policy.

Privacy Policy Creation – Ten tips for a better online privacy policy and improved privacy practice transparency.

 

M
Resource Categories
New Resource Article Submission

Submit Your Comments

We are always looking to improve our content. If you have any ideas on what to add or change please let us know.

Name(Required)

New Resource Article Submission

Resource Category(Required)
Please write a summary to match your submission