Protection of Personal Information - Your Responsibilities
Privacy Commissioner of Canada
Personal Information Protection and Electronic Documents Act; 2000, c. 5
To Whom Does This Apply?
The Personal Information Protection and Electronic Documents Act (PIPEDA) sets out ground rules for how private sector organizations may collect, use or disclose personal information in the course of commercial activities.
If you own or run a business, PIPEDA is a law that
can help you enormously. Recent studies have proven that when an organization adopts fair information/privacy management practices into their operations and policies, it will make their business more competitive.
How does this work? If you manage your information
properly, you can avoid data breaches that can result in lost time and resources
spent recovering from a breach, as well as a loss of reputation. Good privacy is
good business. Businesses are encouraged to visit the Office of the Privacy Commissioner's Web site for more information on how you can incorporate privacy governance and privacy risk mitigation into your daily operations.
Collection, use or disclosure of personal information in the course of commercial activities.
The Personal Information Protection and Electronic Documents Act (PIPEDA) is really about good information management
practices -- from which every organization benefits.
PIPEDA sets out ground rules for managing personal information in the private
sector. It balances two things:
- the need for organizations to collect, use or
disclose personal information for legitimate business purposes; and
- an individual's right to privacy of personal information.
|Commercial use of personal information within individual provinces
- As of January 1, 2004, the law applies to
organizations engaged in commercial activities across the country,
except in provinces that have their own private sector privacy laws.
- Quebec, Alberta and British Columbia each have
their own law, and Ontario has a law which focuses specifically on
personal health information.
- Even in these provinces, PIPEDA continues to
apply to the federally-regulated private sector and to personal
information in inter-provincial and international
PIPEDA in brief
Organizations covered by PIPEDA must:
- obtain an individual's consent when they collect, use
or disclose the individual's personal information;
- allow the individual to access their personal
- allow the individual to challenge the accuracy of
their personal information;
- only use the personal information for the purposes
for which it was collected;
- obtain additional consent if the personal information
is going to be used for another purpose;
- assure the individuals that their information will be protected by specific safeguards e.g., locked cabinets, computer passwords or encryption.
Personal information includes any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form, such as:
- age, name, ID numbers, income, ethnic origin, or
- opinions, evaluations, comments, social status, or
- employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs).
Personal information DOES NOT include the name, title, business address or telephone number of an employee of an organization.
The PIPEDA Guide for Businesses and
Organizations outlines their responsibilities under PIPEDA. There
are ten "fair information principles" outlined in the guide, with explanations
of how businesses and organizations can adhere to these principles. The principles are:
|Identify the purpose
||Use appropriate safeguards
||Give individuals access
|Limit use, disclosure and retention
Information contained in this section is of a general nature only and is not intended to constitute advice for any specific fact situation. For particular questions, the users are invited to contact their lawyer. For additional information, see contact(s) listed below.
See National Contact.
Privacy Commissioner of Canada
3rd Floor, Tower B
Place de Ville
112 Kent Street
TTY (hearing impaired):
Information contained in this document is of a general nature only and is not intended to constitute advice for any specific fact situation. Users concerned about the reliability of the information should consult directly with the source, or seek legal counsel.
Some of the hypertext links lead to non-federal government sites which are not subject to the Official Languages Act and the material is available in one language only.