Business PickupThe Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian federal privacy law which was first enacted in 2000 and updated in 2015. Its goal is to encourage organizations to collect, use, and disclose personal information in a way that recognizes citizens’ right to privacy. While it was originally developed to promote trust in ecommerce, it has since been expanded to other industries, including healthcare and banking.
Under PIPEDA, there are many pieces of data which are considered personal information, including:
- Name
- ID numbers, such as social insurance numbers or driver’s licenseAge
- Financial information, such as credit and loan records
- Marital status
- Race, national, or ethnic origin
- DNA
- Employee files
- Medical records
- Education history
- Opinions, comments, and social status
Any Canadian private enterprise that collects personal data during the course of business must comply with PIPEDA. If your organization is subject to this law, here’s what you have to do to ensure compliance.
The 10 Requirements of PIPEDA
1. Accountability
Designate at least one individual who will be held accountable for PIPEDA compliance. The appointed person(s) should create a robust privacy policy encompassing the following nine principles, and will have the authority to oversee the policy’s enactment.
2. Identifying Purposes
Organizations must be able to explain why information is collected, and use it only for its intended purpose. If it will be used for a purpose outside its original scope, seek new consent as needed.
3. Consent
Prior to collecting personal information, you must ensure that you have consent from the parties providing their data. Individuals should be able to clearly understand what giving consent means, and should not feel coerced into giving it.
4. Limiting Collection
PIPEDA also mandates that organizations only collect the information absolutely necessary for conducting businesses. For instance, if you run an appliance repair company, you may need a homeowner’s address to send a technician out for service but wouldn’t need to collect the customer’s driver’s license or other personal information.
5. Limiting Use, Disclosure, and Retention
In your privacy policy, be sure to outline guidelines and processes that ensure information is only being used for the purpose for which the provider has given consent. Under this clause, companies are also required to establish a data retention period, which should only be as long as necessary for conducting business.
Managing data retention is one area in which Quantum excels. We can help you maintain a retention schedule that complies with your internal privacy policy and PIPEDA. As a National Association for Information Destruction (NAID) AAA certified company, we meet rigorous requirements for data destruction. Quantum ensures that your equipment in which personal information is stored, such as hard drives, is handled securely and properly destroyed. With convenient scheduling through our customer portal, you can even set up pickups that align with your company’s fixed retention periods.
6. Accuracy
Companies must also keep personal information accurate, complete, and routinely updated as needed for the purpose for which it is intended. This helps to reduce the risk of making decisions based on outdated information.
7. Safeguards
You must prevent sensitive data from being accessed by other parties, stolen, copied, or altered. Not only must data be safeguarded while on your premises, but also during any offsite destruction processes. Physical, organizational, and technical measures should be taken to protect personal information.
To help you comply with physical and technical measures, Quantum offers hard drive destruction and data wiping services. Our NIST-certified shredder dismantles hard drives into pieces of ¾” or smaller, which meets RCMP and DoD data destruction requirements. We can also wipe all traces of personal data which may be hidden in sources other than hard drives, including flash and other formats, via digital data wiping. Following these services, your files are permanently destroyed and cannot be retrieved. Thereafter, we can provide certificates for your records, which you may retain for compliance purposes.
8. Openness
In addition to seeking consent, you must also communicate your company privacy policy to customers. Your policy should include the name and contact information for the person designated as responsible for PIPEDA, as well as details about how consumers can access their personal data and how it is shared.
Within your privacy policy, you may also wish to include details about how end-of-life IT assets are destroyed by an IT asset disposition (ITAD) expert such as Quantum..
9. Individual Access
Should someone request details about which information is collected from them and how it is used, organizations must grant access to this information. If desired, a consumer can challenge the accuracy of their personal data and amend it as needed.
10. Challenging Compliance
Finally, PIPEDA requires you to establish a process for receiving, considering, and responding to complaints about violations.