Canada’s PIPEDA
Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA)
Designed for the private sector, PIPEDA is the Canadian privacy law that dictates how organizations that collect personal information for commercial purposes from Canadian visitors, should handle the data in order to carry out their businesses. While the law affects businesses based in Canada who collect data from Canadian visitors, it does not apply to non-profits, government institutions nor associations.
PIPEDA refers to personal information as factual or subjective information, recorded or not, about an identifiable individual. Categories of data include but are not limited to: age, name, ethnic origin, social status, credit records, medical records, comments, etc.
Apart for obtaining individuals’ consent for collection or facilitating their rights to access their personal information held by an organization, there is a set of requirements that organizations who collect data from Canadian visitors, must comply with.
Accountability
Organizations are responsible for any and all personal information that they have under their control. While daily collection and processing of personal information can be handled by different people in the organization, a staff member accountable for the organization’s compliance with the privacy principle must be appointed.
Identifying Purposes
Before or at the time of collection, organizations shall identify the purposes for which data is collected. In cases where personal information was collected for a non-disclosed purpose, the organization shall identify it prior to processing the information and request the individuals’ consent for it.
Consent
Individuals consent is required for the collection, use or disclosure of personal information except for circumstances where for legal, medical or security reasons, consent is impossible or impractical to seek. Individuals have the option to withdraw consent at any time depending on legal or contractual limitations and organization shall inform them over the implications of the withdrawal.
Limiting Use, Disclosure and Retention
The amount and the type of personal data collected should be limited to the identified purposes for which it was collected. Data used to make a decision about an individual will be retained for a period of time sufficient to allow the individual to access it after the decision has been made. When data no longer serves the purposes for which it was collected, it should be destroyed, erased, or made anonymous.
Accuracy
Personal information must be complete, accurate, and as up-to-date as possible to serve the purposes for which it was collected.
Safeguards
Ensure the security of personal information against loss, theft, unauthorized access, disclosure, copying, use or modification, both when data is stored and when it is disposed of, regardless of its format.
Openness
Full transparency about an organization’s policies and practices should be publicly and readily available to individuals in a generally understandable form.
Individual Access
Individuals can request access to their personal information and gain insights about its existence, use, and disclosure as well as challenge the accuracy and completeness of their private data.
Challenging Compliance
Organizations shall have the necessary resources to respond to individuals’ inquiries about the practices and use of personal information. A complaint procedure should be accessed easily and be simple to use at all times by all individuals.