Data privacy can make or break your business.
Many important compliances and standards have been developed to give consumers control over their data and protect privacy. When dealing with consumer data at large, it's important to understand the various regulations, including the latest addition to the block, PIPEDA, affected parties, and penalties for non-compliance.
Here's a deeper dive into PIPEDA, how it compares to HIPAA and GDPR privacy standards, and how organizations can maintain PIPEDA compliance.
What is PIPEDA?
The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian law that received Royal Assent on April 13, 2000, and came into force in stages, starting January 1, 2001. The law was fully enacted on January 1, 2004.
PIPEDA enables Canadian businesses to compete in the global digital economy while alleviating concerns about consumer privacy. The law must be reviewed every five years to ensure effective legislation and outcomes such as protecting personal information.
Personal information is any subjective or factual information about an identifiable individual. It contains elements like:
- Personal health information (PHI)
- Employment details and files
- Credit and loan records
- Subjective information like evaluations and disciplinary actions
- Direct identifiers such as name, age, and ID numbers
What is the purpose of PIPEDA?
PIPEDA privacy regulations set the basic rules for companies subject to the law to handle personal information when conducting commercial activities. The Office of the Privacy Commissioner of Canada oversees PIPEDA compliance. The OPC's duties include helping businesses optimize how they handle personal information and investigating privacy complaints from Canadian citizens.
What influenced PIPEDA’s development?
Laws are proposed and approved for a reason. In many cases, the goal is to remedy a shortcoming or oversight in existing legislation.
In this case, the impetus for PIPEDA was a growing concern about how companies handled electronically transmitted personal data as more and more customers turned to e-commerce solutions. By setting rules on how commercial organizations manage personal data, PIPEDA seeks to protect consumers’ rights related to the use of their data.
Here are some key PIPEDA provisions:
- The Act seeks to balance an individual's right to privacy of their personal information with the needs of organizations to collect and handle the information when conducting business.
- Under PIPEDA, Canadians have the right to know why an organization collects, uses, or discloses their personal information. Consumers can review the data collected and make corrections to address inaccuracies.
- Businesses must obtain consent to collect, use, or disclose personal information. This requirement is suspended when the data facilitates an investigation or in an emergency where non-disclosure would jeopardize public safety.
- PIPEDA grants individuals the right to complain to the Privacy Commissioner about how organizations handle their personal information. The Privacy Commissioner examines and resolves complaints.
- The Privacy Commissioner can release information to the public or refer the matter to the Federal Court of Canada, which can compel an organization to stop a particular practice and award damages to affected individuals.
- PIPEDA contains a set of fair information principles based on international data protection laws and the Canadian Standards Association's Model Privacy Code for the Protection of Personal Information. This code was developed jointly by companies, consumer associations, the government, and other organizations concerned with privacy standards.
PIPEDA's 10 fair information principles
At the heart of PIPEDA are the 10 fair information principles, which entities subject to the law and involved in processing personal data must comply with. Let's take a closer look at these principles.
To comply with PIPEDA, organizations must adhere to each of the following fair information principles.
- Identifying purposes: Businesses must state the reasons for collecting a specific type of data. This requirement addresses three privacy issues: Verifying that individuals are aware of why their data is being collected; alerting companies so they can take action to prevent inappropriate use of the data; mandating companies to get fresh individual consent if they want to use their data for a new purpose
- Consent: Companies subject to the PIPEDA guidelines need to obtain meaningful implicit or explicit consumer consent. Subjects cannot be coerced into giving consent and must understand the implications of providing it to a data collector.
- Limiting collection: Organizations can collect only information necessary and consistent with the purposes they seek consent.
- Limiting use, disclosure, and retention: Businesses need to create policies that ensure customer information is only used for reasons for which consent has been obtained. Data should only be retained for as long as is necessary to achieve the purpose stated by the data collector but must be retained long enough for consumers to question the information.
- Accuracy: Businesses must guarantee that all personal information collected is accurate, complete, and updated as necessary for the stated purpose.
- Safeguards: This is perhaps the most critical PIPEDA principle and deals directly with protecting collected personal information. Organizations must protect collected data from breach, theft alteration, copying, and unauthorized access. The level of personal data protection should correspond to its sensitivity.
- Openness: Businesses must inform users how their data is collected, processed, shared, and stored. The name and contact information of the person designated in the accountability principle must be made available, and users must be informed of how to access the collected data.
- Individual access: A company must respond to written requests for personal data by providing the requester with information about the type of data collected and its use and disclosure within 30 days. Consumers should be able to determine whether the data collected is accurate and make any necessary corrections.
- Challenging compliance: Organizations must develop procedures to receive, investigate, and resolve complaints of non-compliance and violations. If the complaint is justified, policies related to personal data may need to be changed. The complainant must be informed of their complaint and the steps they can take if they’re unsatisfied with the response.
Who does PIPEDA apply to?
Not all organizations operating in Canada are subject to PIPEDA. The regulations apply to:
- Any private sector organization in Canada that collects, uses, or discloses personal information while engaging in commercial activities
- Federally regulated organizations such as banks, telecommunications companies, and international transport companies
- Canadian companies transferring data across provincial and national borders
Organizations exempt from PIPEDA:
- Charity groups
- Political parties
- Non-profit organizations
- Federal government organizations listed under the Privacy Act
- Organizations collecting, using, or disclosing personal information for journalistic, artistic, or literary purposes
- Entities in Quebec, British Columbia, and Alberta subject to similar provincial private sector privacy laws
How does PIPEDA protect personal information?
PIPEDA specifies three types of safeguards to ensure personal data security.
- Physical: The physical safeguards put in place by an organization should prevent unauthorized personnel from viewing confidential data. Measures may include surveillance cameras, locking offices, and conducting IT activities in a secure internal or external data center.
- Organizational: These safeguards refer to an organization's policies and procedures to protect personal information. Training the workforce to create a corporate culture emphasizing privacy is a standard component of organizational safeguards. Employees responsible for handling sensitive data must undergo security clearances, and all instances of unauthorized access by internal actors should be investigated.
- Technical: Many technical measures can be taken to protect an organization's data. Critical safeguards include encrypting data, managing and logging user activity, and implementing robust firewalls to keep unauthorized users from networks and systems containing sensitive information.
Consumers within the scope of PIPEDA protection have the following rights and expectations about using their data.
- Consumers have the right to see what has been collected about them and correct any errors.
- They may refuse requests for excessive or unnecessary information.
- All consumers should expect that their data will be used appropriately and for the specific purpose for which consent was given.
- Citizens have the right to complain if they suspect their privacy rights have been violated.
Responding to data breaches
Organizations subject to PIPEDA standards need to report data breaches to the OPC if the incident poses a real risk of serious harm (RROSH) to one or more consumers.
Factors influencing the decision on the damage’s extent include the sensitivity of the information affected by the breach and the likelihood that malicious actors will misuse it. Businesses should keep records of all data breaches, whether they constitute RROSH. These records must be kept for at least two years.
Penalties for non-compliance
Non-compliance can result in two types of penalties.
- Financial penalties: Under the 2018 PIPEDA amendments, fines may be imposed for knowingly breaching security. Fines of up to CAD$ 100,000 can be charged for each violation.
- Adverse publicity: Impacts companies lacking adequate safeguards. This erodes customer trust, potentially impacting a company's business goals.
PIPEDA vs. HIPAA vs. GDPR
Canada, the United States, and the European Union (EU) have enacted laws addressing citizens' concerns about using their personal information. While these laws all focus on protecting private personal information, the specific protections they provide and how they’re enforced vary significantly.
Here's a quick comparison between PIPEDA, the U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the EU General Data Protection Regulation (GDPR).
Similarities in these privacy regulations
All three privacy regulations protect sensitive personal information.
- PIPEDA protects a wide range of personal data, including health information, financial data, and direct identifiers.
- HIPAA focuses on an individual’s protected health information (PHI).
- GDPR protects data that can be used directly or indirectly to identify a living person. This includes apparent elements such as name, address, IP addresses, and cookie data, which can be considered personal data. GDPR also protects information about race, religious beliefs, and other things not covered by PIPEDA or HIPAA.
All three privacy standards require organizations to implement safeguards to protect collected personal data.
- PIPEDA encourages organizations to implement technical, physical, and organizational safeguards, as discussed earlier in this article.
- The HIPAA regulations require similar administrative, technical, and physical safeguards when protecting PHI.
- The GDPR standards include implementing technical and organizational measures to protect personal data. The safeguards include emphasizing limiting unauthorized physical access to sensitive data.
Differences in these regulatory initiatives
There are substantial differences between these three data privacy standards. Fines are structured differently for violating each regulatory standard.
- PIPEDA: Up to 100,000 Canadian dollars per violation
- HIPAA: Fines are levied according to the severity of a violation with a max cap of $1,500,000 per year for the most egregious oversights.
- GDPR: Violators can be fined up to 4% of a company’s annual global revenues or €20 million, whichever is greater.
An individual’s rights vary depending on what guidelines are at play.
- PIPEDA: Consumers have the right to view and correct the data collected about them.
- HIPAA: Patients have the right to see the PHI that an organization collects and stores.
- GDPR: Individuals can view their data and request it be removed from an organization's databases.
What is PIPEDA compliance?
PIPEDA compliance is a set of federal Canadian privacy rules and regulations for businesses to meet privacy standards. To become PIPEDA compliant, commercial organizations need to understand what the law entails and follow its guidelines. Failure to comply can result in fines and reduced consumer confidence.
Why is PIPEDA compliance essential?
The rise of e-commerce and social media has reinforced compliance with data privacy regulations, including PIPEDA. Regulatory compliance is vital to a business and its customers for many reasons.
- Customers' sensitive personal data need to be protected from misuse or access by unauthorized and potentially malicious actors.
- Failure to comply with regulatory standards such as PIPEDA can result in significant fines.
Businesses that fail to comply with data protection regulations can lose customer trust and company reputation that may never be restored.
How to obtain PIPEDA compliance
To maintain compliance with PIPEDA, organizations must implement safeguards to protect individuals' personal information. Companies required to comply with PIPEDA have two main options available.
In-house versus vendor-assisted compliance
Organizations can choose to implement the required infrastructure and compliant systems using in-house resources or turn to an experienced third-party cloud compliance software. Each approach has advantages and disadvantages.
Using in-house resources
- Companies that build a compliant infrastructure using internal resources can exercise more control over the sensitive data they collect and process.
- Capital costs can be high when purchasing new hardware to build the environment.
- Organizations with limited IT departments may not have the expertise or free cycles needed to implement and maintain a PIPEDA-compliant environment.
Engaging a third-party cloud partner
- Capital costs are reduced because cloud hosting provides the computing infrastructure.
- A reputable provider’s expertise reduces the potential for data breaches or breaches of the security precautions outlined in PIPEDA.
- Businesses can quickly scale up or down using cloud resources to meet fluctuating or seasonal customer demand.
Keep tabs on your compliance
PIPEDA compliance shouldn’t be overlooked. While the financial penalties significantly affect a company's bottom line, the less tangible effects can be far more costly. It may be impossible to restore customer trust if a data breach compromises personal data.
Businesses that need to comply with PIPEDA can significantly reduce the stress and complexity of maintaining compliance by working with a reputable web hosting provider. The right provider can offer an infrastructure that conforms to PIPEDA standards, allowing a company to focus on its core business goals assured that it meets all regulatory requirements.
Curious what the future holds for online customer data? Learn what to expect with the impending cookieless future.