What is PIPEDA? A Summary For Small Business

by TUCU Managed IT Services in Toronto

glasses zoomed in on definition of privacy

What is PIPEDA?

PIPEDA (Personal Information Protection and Electronic Documents Act) is a Canadian data privacy law that applies to the collection, use or disclosure of personal information in the course of a commercial activity. Our team of Small Business IT Service Providers have put together a summary to guide you.

What information falls under PIPEDA?

Age, name, ID numbers, income, ethnic origin, or blood type

Opinions, evaluations, comments, social status, or disciplinary actions

Employee files, credit records, loan records, medical records, existence of a dispute between a consumer and merchant, intentions (for example, to acquire goods or services, or change jobs).

What email methods are suitable for sending/receiving PIPEDA regulated information?

PIPEDA does not have required configurations or regulated methods for sending/receiving of data via email or any other medium. What it does offer is a list of Guidelines or Principles that should be followed in order to be considered PIPEDA compliant. These principles are:

Be Accountable
Identify the Purpose
Obtain Informed Consent
Limit Collection
Limit Use, Disclosure and Retention
Be Accurate
Use Appropriate Safeguards
Be Open
Give Individuals Access
Provide Recourse

You can work with an IT Consultant to help you develop IT policies that support your PIPEDA compliance.

What are my responsibilities?

PIPEDA provides ten (10) principles to help businesses become PIPEDA compliant. Each principle contains a list of responsibilities to help businesses with compliance. They include:

Be Accountable

- - Comply with all 10 of the principles.
  - Appoint an individual to be responsible for your organization's compliance.
  - Protect all personal information held by your organization or transferred to a third
    party for processing.
  - Develop and implement personal information policies and practices.

Identify the Purpose

- - Before or when any personal information is collected, identify why it is needed and how it will be used.
  - Document why the information is collected.
  - Inform the individual from whom the information is collected why it is needed.
  - Identify any new purpose for the information and obtain the individual’s consent
    before using it.

Obtain Informed Consent

- - Specify what personal information you are collecting and why in a way that your
    customers and clients can clearly understand.
  - Inform the individual in a meaningful way of the purposes for the collection, use or
    disclosure of personal data.
  - Obtain the individual’s consent before or at the time of collection, as well as when a
    new use of their personal information is identified.

Limit Collection

- - Do not collect personal information indiscriminately.
  - Do not deceive or mislead individuals about the reasons for collecting personal
    Information.

Limit Use, Disclosure and Retention

- - Use or disclose personal information only for the purpose for which it was collected, unless the individual consents, or the use or disclosure is authorized by the Act.
  - Keep personal information only as long as necessary to satisfy the purposes.
  - Put guidelines and procedures in place for retaining and destroying personal
    Information.
  - Keep personal information used to make a decision about a person for a reasonable time period. This should allow the person to obtain the information after the decision and pursue redress.
  - Destroy, erase or render anonymous information that is no longer required for an
    identified purpose or a legal requirement.

Be Accurate

- - Minimize the possibility of using incorrect information when making a decision
    about the individual or when disclosing information to third parties.

Use Appropriate Safeguards

- - Protect personal information against loss or theft.
  - Safeguard the information from unauthorized access, disclosure, copying, use or
    Modification.
  - Protect personal information regardless of the format in which it is held.

Be Open

- - Inform customers, clients and employees that you have policies and practices for the management of personal information.
  - Make these policies and practices understandable and easily available.

Give Individuals Access

- - When requested, inform individuals if you have any personal information about them.
  - Explain how it is or has been used and provide a list of any organizations to which it has been disclosed.
  - Give individuals access to their information.
  - Correct or amend any personal information if its accuracy and completeness is
    challenged and found to be deficient.
  - Provide a copy of the information requested, or reasons for not providing access,
    subject to exceptions set out in Section 9 of the Act..
  - An organization should note any disagreement on the file and advise third parties
    where appropriate.

Provide Recourse

- Develop simple and easily accessible complaint procedures.
- Inform complainants of their avenues of recourse. These include your organization’s own complaint procedures, those of industry associations, regulatory bodies and the Office of the Privacy Commissioner of Canada.
- Investigate all complaints received.
- Take appropriate measures to correct information handling practices and policies.

What IT security requirements are needed for the small business that stores PIPEDA protected information?

PIPEDA principle “Use Appropriate Safeguards” contains a list of security recommendations. They include:
- Develop and implement a security policy to protect personal information.
- Use appropriate security safeguards to provide necessary protection:
  - physical measures (locked filing cabinets, restricting access to offices, alarm systems)
  - technological tools (passwords, encryption, firewalls)
  - organizational controls (security clearances, limiting access on a “need-to-know” basis, staff training, agreements)
- Ensure that you regularly review security safeguards to ensure they are up-to-date and known vulnerabilities have been addressed.
- Make your employees aware of the importance of maintaining the security and confidentiality of personal information.
- Ensure staff awareness by holding regular staff training on security safeguards.

On a Federal level PIPEDA doesn’t require all data to be stored in Canada or within Canadian servers. Although provincially there are subsequent acts that may require it depending on the type of business, industry or sector you are in. See the Ontario Personal Health Information Protection Act: https://www.ontario.ca/laws/statute/04p03

What else do we need to know?

Learn more from the following sources used in compiling this summary for you.

Source: https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda-compliance-help/guide_org/

Source 2: https://www.priv.gc.ca/media/2038/guide_org_e.pdf

IT Consulting Services in Toronto: For guidance on planning and implementing IT changes in your business, please call on our team of knowledgeable IT Consultants and technicians. TUCU is an IT Services Provider located in Toronto ON, offering IT consulting, IT security services, and IT management services. We specialize in SMB IT Solutions and invite you to schedule your free consultation to learn how we can help you take control of your IT systems.

push bombing concept with multiple authentication codes sent to user

Push-Bombing Threats Can Bypass 2FA

The Critical Importance of Virtual Infrastructure Security (And 4 Ways to Enhance It)

Employee working from Trusted Devices in a small business office.

What is a Trusted Device?

doctor using secure cloud EMR without computer security

A Secure Cloud EMR Is Only The Start

Say goodbye to techaches!

We understand that you need a reliable IT company you can trust. Join our long list of happy clients dating back to 2003.

Reach out now to schedule your Discovery Call to learn how we can help you.

Book A Call