The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian federal privacy law which was first enacted in 2000 and updated in 2015. Its goal is to encourage organizations to collect, use, and disclose personal information in a way that recognizes citizens’ right to privacy. While it was originally developed to promote trust in ecommerce, it has since been expanded to other industries, including healthcare and banking.
Under PIPEDA, there are many pieces of data which are considered personal information, including:
- ID numbers, such as social insurance numbers or driver’s licenseAge
- Financial information, such as credit and loan records
- Marital status
- Race, national, or ethnic origin
- Employee files
- Medical records
- Education history
- Opinions, comments, and social status
Any Canadian private enterprise that collects personal data during the course of business must comply with PIPEDA. If your organization is subject to this law, here’s what you have to do to ensure compliance.
The 10 Requirements of PIPEDA
2. Identifying Purposes
Organizations must be able to explain why information is collected, and use it only for its intended purpose. If it will be used for a purpose outside its original scope, seek new consent as needed.
Prior to collecting personal information, you must ensure that you have consent from the parties providing their data. Individuals should be able to clearly understand what giving consent means, and should not feel coerced into giving it.
4. Limiting Collection
PIPEDA also mandates that organizations only collect the information absolutely necessary for conducting businesses. For instance, if you run an appliance repair company, you may need a homeowner’s address to send a technician out for service but wouldn’t need to collect the customer’s driver’s license or other personal information.
5. Limiting Use, Disclosure, and Retention
Companies must also keep personal information accurate, complete, and routinely updated as needed for the purpose for which it is intended. This helps to reduce the risk of making decisions based on outdated information.
You must prevent sensitive data from being accessed by other parties, stolen, copied, or altered. Not only must data be safeguarded while on your premises, but also during any offsite destruction processes. Physical, organizational, and technical measures should be taken to protect personal information.
To help you comply with physical and technical measures, Quantum offers hard drive destruction and data wiping services. Our NIST-certified shredder dismantles hard drives into pieces of ¾” or smaller, which meets RCMP and DoD data destruction requirements. We can also wipe all traces of personal data which may be hidden in sources other than hard drives, including flash and other formats, via digital data wiping. Following these services, your files are permanently destroyed and cannot be retrieved. Thereafter, we can provide certificates for your records, which you may retain for compliance purposes.
9. Individual Access
Should someone request details about which information is collected from them and how it is used, organizations must grant access to this information. If desired, a consumer can challenge the accuracy of their personal data and amend it as needed.
10. Challenging Compliance
Finally, PIPEDA requires you to establish a process for receiving, considering, and responding to complaints about violations.