Canada PIPEDA Compliance

Canada PIPEDA Compliance

Overview

The Personal Information Protection and Electronic Documents Act (PIPEDA, S.C. 2000, c. 5) is Canada's federal private-sector privacy law. It applies to organizations that collect, use, or disclose personal information in the course of commercial activities, and to personal information about employees of federal works, undertakings, and businesses. PIPEDA incorporates the Canadian Standards Association (CSA) Model Code for the Protection of Personal Information (CAN/CSA-Q830-96) as Schedule 1, establishing 10 fair information principles.

The Office of the Privacy Commissioner of Canada (OPC) oversees PIPEDA compliance, investigates complaints, conducts audits, and publishes findings and guidance. The Digital Privacy Act (S.C. 2015, c. 32) amended PIPEDA to add mandatory breach reporting, valid consent requirements, and enhanced enforcement provisions.

Note: PIPEDA does not apply in provinces that have enacted substantially similar legislation (Alberta PIPA, British Columbia PIPA, Quebec's Act respecting the protection of personal information in the private sector). However, PIPEDA continues to apply to interprovincial and international transfers of personal information in all provinces and to federally regulated organizations.

The 10 Fair Information Principles (Schedule 1)

Principle 1 — Accountability (Clause 4.1)

An organization is responsible for personal information under its control. It must designate an individual or individuals who are accountable for compliance with the principles. Accountability remains with the organization even when personal information is transferred to a third party for processing.

Key requirements:

• Designate a privacy officer or chief privacy officer
• Implement policies and practices to give effect to the principles
• Establish complaint-handling procedures
• Train staff on privacy obligations
• Develop information to explain the organization's policies and procedures

Principle 2 — Identifying Purposes (Clause 4.2)

The purposes for which personal information is collected must be identified at or before the time of collection. If a new purpose arises after collection, the organization must identify the new purpose and obtain fresh consent before using the information for that purpose.

Principle 3 — Consent (Clause 4.3)

The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate (as listed in sections 7(1)-(3) of PIPEDA).

Consent forms recognized by the OPC:

• Express consent: Required for sensitive information (health data, financial information, precise location, children's data)
• Implied consent: Acceptable where the purpose would be obvious to a reasonable person and the information is less sensitive
• Opt-out consent: Acceptable in limited circumstances for non-sensitive information where the individual is notified and given a reasonable opportunity to decline

OPC Guidelines for Obtaining Meaningful Consent (2018):

1. Emphasize key elements — what personal information is collected, with whom it is shared, for what purposes, and the risk of harm
2. Allow individuals to control the level of detail they receive
3. Provide clear options: say yes, say no, request changes
4. Be innovative and creative about consent mechanisms
5. Consider the consumer's perspective in evaluating consent
6. Make consent an ongoing process, not a one-time event
7. Be ready to demonstrate compliance — document consent records

Principle 4 — Limiting Collection (Clause 4.4)

The collection of personal information shall be limited to that which is necessary for the purposes identified. Information shall be collected by fair and lawful means. An organization must not collect personal information indiscriminately. Each element of personal information collected must be tied to an identified purpose.

Principle 5 — Limiting Use, Disclosure, and Retention (Clause 4.5)

Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfilment of those purposes. Organizations must develop guidelines and implement procedures for the retention and destruction of personal information.

Principle 6 — Accuracy (Clause 4.6)

Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used. The degree of accuracy required depends on the use — information used to make a decision about an individual must be sufficiently accurate to minimize the possibility of an inappropriate decision.

Principle 7 — Safeguards (Clause 4.7)

Personal information shall be protected by security safeguards appropriate to the sensitivity of the information. The level of protection must be commensurate with the sensitivity — more sensitive information requires stronger safeguards.

Categories of safeguards:

• Physical measures: Locked filing cabinets, restricted access to offices, clean desk policies
• Organizational measures: Security clearances, need-to-know access, staff training, confidentiality agreements
• Technological measures: Encryption, passwords, firewalls, audit trails, access controls

Principle 8 — Openness (Clause 4.8)

An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information. This includes the name or title and address of the person accountable, how to access personal information, a description of the type of information held, and a general account of its use.

Principle 9 — Individual Access (Clause 4.9)

Upon request, an individual shall be informed of the existence, use, and disclosure of their personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

Response requirements:

• Respond within 30 days of receiving the request
• Provide the information at minimal or no cost
• Provide the information in a generally understandable form
• If access is denied, provide reasons and inform the individual of available recourse

Permitted grounds for refusing access (Section 9(3)):

• Information protected by solicitor-client privilege
• Information generated in the course of a formal dispute resolution process
• Information that could reasonably be expected to threaten the life or security of another individual
• Information that would reveal confidential commercial information
• Information collected for an investigation into a breach of an agreement or law

Principle 10 — Challenging Compliance (Clause 4.10)

An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization's compliance. Organizations must have procedures to receive and respond to complaints or inquiries. They must investigate all complaints and take appropriate measures to correct information-handling practices.

Breach of Security Safeguards (Division 1.1, Sections 10.1-10.3)

Mandatory Breach Reporting (Section 10.1)

An organization must report to the OPC any breach of security safeguards involving personal information under its control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm (RROSH) to an individual.

RROSH Assessment Factors

The RROSH assessment must consider:

• The sensitivity of the personal information involved
• The probability that the information has been, is being, or will be misused
• Any other prescribed factor

Significant harm includes: bodily harm, humiliation, damage to reputation, loss of employment, financial loss, identity theft, negative effects on credit record, damage to or loss of property.

Notification Requirements (Section 10.1(3)-(6))

Report to OPC: Must contain:

• A description of the circumstances of the breach and, if known, the cause
• The day or period on which the breach occurred
• A description of the personal information involved
• The number of individuals affected
• Steps taken to reduce the risk of harm or to mitigate harm
• Whether the organization has notified the affected individuals
• Name and contact information of a person who can answer OPC questions

Notify affected individuals (Section 10.1(4)):

• As soon as feasible after determination that RROSH exists
• Must contain: description of the breach, personal information involved, steps taken, steps the individual can take to reduce risk of harm, contact information for further inquiries
• Must be conspicuous and given directly to the individual (or indirectly if direct notification would cause further harm, or the organization does not have contact information)

Notify other organizations (Section 10.2): If notification to another organization may reduce the risk of harm, notify that organization.

Record-Keeping (Section 10.3)

Organizations must keep and maintain a record of every breach of security safeguards involving personal information under their control for 24 months after the day on which the organization determines that the breach has occurred. The OPC may request access to these records.

Cross-Border Transfers

OPC Position on Transfers

PIPEDA does not prohibit cross-border transfers of personal information. However, the transferring organization remains accountable for the information under Principle 1 (Accountability). The OPC requires:

1. Comparable protection through contractual or other means
2. Transparency about cross-border transfers in privacy policies
3. Notification to individuals that their information may be transferred to foreign jurisdictions and may be accessible to law enforcement of those jurisdictions under lawful authority
4. Due diligence on the foreign organization's privacy practices

Implications of Foreign Access

Following the OPC findings in PIPEDA Case Summary 2009-008 and the Supreme Court of Canada decision in R. v. Spencer (2014 SCC 43), organizations must consider that personal information transferred to another jurisdiction may be subject to lawful access by foreign governments. This must be communicated to individuals.

Enforcement

OPC Powers

• Receive and investigate complaints (Section 11-13)
• Conduct audits (Section 18)
• Publish findings and recommendations
• Enter into compliance agreements (Section 17.1)
• Seek Federal Court orders compelling compliance (Section 14-16)
• Apply to Federal Court for orders including damages and compliance (Section 16)

Federal Court Remedies (Section 16)

On application by the Commissioner or the complainant, the Federal Court may order an organization to:

• Correct its practices
• Publish a notice of action taken
• Award damages, including damages for humiliation

Penalties (Section 28)

Offences under PIPEDA include:

• Obstructing the Commissioner or their delegate
• Destroying personal information that an individual has requested
• Retaliating against an employee who has filed a PIPEDA complaint
• Failing to report a breach or maintain breach records (Division 1.1)

Maximum fine: $100,000 CAD per offence (individual) under summary conviction.

Key Regulatory References

• PIPEDA (S.C. 2000, c. 5)
• Digital Privacy Act (S.C. 2015, c. 32)
• Breach of Security Safeguards Regulations (SOR/2018-64)
• OPC Guidelines for Obtaining Meaningful Consent (2018)
• OPC Guidelines on Privacy and Online Behavioural Advertising (2023 update)
• OPC Position on Cross-Border Transfer of Personal Information (PIPEDA Interpretation Bulletin)
• CSA Model Code CAN/CSA-Q830-96 (Schedule 1 to PIPEDA)