PIPEDA Compliance Guide
The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada's federal privacy law for the private sector. This guide covers the principles, requirements, and penalties you need to know.
What is PIPEDA?
PIPEDA is Canada's federal privacy law governing the collection, use, and disclosure of personal information by private-sector organisations in the course of commercial activities. It applies across Canada except in provinces that have enacted substantially similar legislation (Alberta, British Columbia, and Quebec).
PIPEDA is built around 10 Fair Information Principles found in Schedule 1 of the Act. These principles form the foundation of how organisations must handle personal information and are enforced by the Office of the Privacy Commissioner of Canada (OPC).
The 10 Fair Information Principles
Accountability
An organisation is responsible for personal information under its control and must designate an individual accountable for compliance.
Identifying Purposes
The purposes for which personal information is collected must be identified at or before the time of collection.
Consent
The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information.
Limiting Collection
The collection of personal information must be limited to what is necessary for the identified purposes.
Limiting Use, Disclosure, and Retention
Personal information must not be used or disclosed for purposes other than those for which it was collected, and must be retained only as long as necessary.
Accuracy
Personal information must be as accurate, complete, and up-to-date as necessary for the purposes for which it is to be used.
Safeguards
Personal information must be protected by security safeguards appropriate to the sensitivity of the information.
Openness
An organisation must make readily available specific information about its policies and practices relating to the management of personal information.
Individual Access
Upon request, an individual must be informed of the existence, use, and disclosure of their personal information and be given access to it.
Challenging Compliance
An individual must be able to challenge an organisation's compliance with the above principles by contacting the designated accountable person.
Key Requirements Checklist
Appoint a privacy officer
Designate an individual or team responsible for your organisation's compliance with PIPEDA.
Obtain meaningful consent
Ensure consent is informed, specific, and obtained before or at the time of data collection. Use opt-in consent for sensitive information.
Publish a clear privacy policy
Make your privacy practices easily accessible and understandable, covering all 10 Fair Information Principles.
Limit data collection to what is necessary
Collect only the personal information required to fulfil the identified purposes.
Implement data retention policies
Define and enforce retention schedules. Delete or anonymise personal information when it is no longer needed.
Secure personal information
Apply physical, organisational, and technological safeguards proportional to the sensitivity of the data.
Enable individual access requests
Provide a process for individuals to request access to their personal information and challenge its accuracy.
Report data breaches to the OPC
Report breaches of security safeguards involving personal information that pose a real risk of significant harm to the Office of the Privacy Commissioner.
Maintain breach records
Keep a record of every breach of security safeguards involving personal information under your control for at least 24 months.
Review third-party data transfers
Ensure organisations that receive personal information from you provide a comparable level of protection through contractual or other means.
Penalties for Non-Compliance
PIPEDA enforcement is carried out by the Office of the Privacy Commissioner of Canada. Penalties include:
Breach Reporting Offences
Fines of up to $100,000 CAD per offence for failing to report breaches, notify affected individuals, or maintain breach records as required.
Federal Court Orders
The Federal Court can order organisations to change their practices and award damages to individuals, including damages for humiliation.
Vérifiez votre conformité maintenant
Utilisez Pryvii pour analyser automatiquement votre site web et obtenir un score de conformité avec des recommandations contrètes.