Personal Information Protection and Electronic Documents Act
🍁 Canada's Federal Privacy Law 🍁
The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada's federal privacy law that governs how private-sector organizations collect, use, and disclose personal information in the course of commercial activities.
Enacted in 2000, PIPEDA applies to every organization in Canada that collects, uses, or discloses personal information in the course of a commercial activity, with some exceptions for provinces with substantially similar legislation.
The law aims to balance an individual's right to privacy with an organization's need to collect, use, and disclose personal information for legitimate business purposes.
Private sector organizations conducting commercial activities across Canada, including federally regulated sectors like banking, telecommunications, and interprovincial transportation.
Quebec, British Columbia, and Alberta have their own substantially similar privacy laws that apply instead of PIPEDA for intra-provincial activities.
Any factual or subjective information about an identifiable individual, including name, age, ID numbers, income, ethnicity, blood type, opinions, evaluations, and more.
The Office of the Privacy Commissioner of Canada (OPC) investigates complaints and conducts audits to ensure compliance with PIPEDA.
Organizations are responsible for personal information under their control and must designate an individual accountable for compliance with PIPEDA.
Organizations must identify the purposes for which personal information is collected at or before the time of collection.
Knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
The collection of personal information must be limited to that which is necessary for the purposes identified by the organization.
Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with consent or as required by law. Information should be retained only as long as necessary.
Personal information must be as accurate, complete, and up-to-date as necessary for the purposes for which it is to be used.
Personal information must be protected by security safeguards appropriate to the sensitivity of the information.
Organizations must make readily available to individuals specific information about their policies and practices relating to the management of personal information.
Upon request, individuals must be informed of the existence, use, and disclosure of their personal information and be given access to that information.
Individuals have the right to challenge an organization's compliance with these principles to the designated individual accountable for compliance.
You can request to see what personal information an organization has about you and how it's being used.
You can ask an organization to correct inaccurate or incomplete personal information.
You can withdraw your consent for the collection, use, or disclosure of your information, subject to legal or contractual restrictions.
You can file a complaint with the Privacy Commissioner if you believe an organization has violated your privacy rights.
Organizations must tell you why they're collecting your personal information and how they plan to use it.
Organizations can only use your information in ways a reasonable person would consider appropriate given the circumstances.
Ensure consent is clear, understandable, and informed. Use plain language and make it easy for individuals to withdraw consent.
Use appropriate physical, organizational, and technological measures to protect personal information from unauthorized access, disclosure, or misuse.
Provide individuals with access to their personal information within 30 days of receiving a request, or explain why access cannot be granted.
Notify the Privacy Commissioner, affected individuals, and other organizations of breaches involving a real risk of significant harm.
Keep records of all breaches of security safeguards for at least 24 months, even if they don't require notification.
Designate an individual responsible for ensuring compliance with PIPEDA and make their contact information available.
The Privacy Commissioner can recommend fines of up to $100,000 per violation for organizations that fail to comply with certain provisions.
Individuals can take organizations to Federal Court for damages, including for humiliation suffered as a result of a PIPEDA violation.
Failure to report breaches, maintain records, or notify affected individuals can result in significant penalties.
Privacy Commissioner findings and investigations are public, which can damage an organization's reputation and customer trust.