PIPEDA: Protecting the Privacy of Canadian Citizens

September 28, 2019 at 8:46 am by Paul Falcone

What is PIPEDA?

Since crafting the original Personal Information Protection and Electronic Documents Act (PIPEDA) in 2000, Canada has been an innovative force in sensitive-data privacy protection. Originally created to foster trust in ecommerce, PIPEDA has evolved to provide more stringent data protection across the digital landscape.

The basic premise of PIPEDA is to prevent Personally Identifiable Information (PII) from being used or disseminated without purposeful consent from the individual. If an organization wants to use PII for more than one explicit purpose, multiple requests or a comprehensive request must be made to secure the individual’s consent. The law also grants individuals the right to access their data and stipulates that organizations must make their compliance policies readily accessible and easily understood.

As of November 1, 2018, a new provision regulating protocol for a PII data breach was added to PIPEDA. All organizations that experience such a breach must report any ramifications that may put individuals at risk to the Privacy Commissioner of Canada. The organization must also notify the individuals affected by the breach and notify any other organizations that may be able to help the individuals avoid data misuse or harm. Detailed records regarding each breach must be kept at least 24 months after the date of the incident.

Organizations Subject to PIPEDA Regulations

PIPEDA applies to any private-sector organization (including those regulated on a federal level by the Canadian government) that collects personal information through commercial activity. Commercial activity excludes donations and fundraising, organizational membership fees, and lists related to communication generated by nonprofit organizations, schools, hospitals and political parties. However, if such lists are sold, bartered, or leased, that activity becomes subject to PIPEDA regulations.

Additionally, if a province has its own private-sector law that is similar to PIPEDA, then any private-sector organization operating solely within that province is not subject to PIPEDA. Currently, Alberta, British Columbia, and Quebec have such laws in effect; however, any business operating in Canada that handles PII is subject to PIPEDA if that information crosses provincial or national borders. Organizations operating solely within Ontario, New Brunswick, Newfoundland, Labrador, and Nova Scotia are also exempt from PIPEDA as concerns health data only. Since PIPEDA is similar to the EU’s General Data Protection Regulation (GDPR), information is allowed to flow freely from compliant organizations within the EU and Canada.

What Information is Covered by PIPEDA?

PII under PIPEDA regulations includes age, name, ID numbers (including Social Insurance and driver’s license numbers), financial information (including credit and loan records and disputes with merchants), race, religion or ethnic origin, marital status, health information (including DNA and blood type), education, and employment history (including employee files such as opinions and comments, evaluations, and disciplinary actions).

The Fair Information Principles

PIPEDA Schedule 1 Section 5 outlines ten stipulations—referred to as the Fair Information Principles—that must be followed:

1. Accountability: PII under an organization’s control is that organization’s responsibility. Organizations must designate a Privacy Officer to ensure compliance.
2. Identifying Purposes: At the time of PII collection, organizations are required to disclose any and all purposes for which the personal data will be used.
3. Consent: Except for cases in which legal, medical, or security reasons render consent impossible or impractical, an individual’s consent is required for collection, use, or disclosure of PII.
4. Limiting Collection: Data collection must be limited to data needed for purposes identified by the organization prior to individuals’ consent.
5. Limiting Use, Disclosure and Retention: PII may only be used for the purposes of its collection as agreed to by the individual. PII may only be retained for as long as is required to serve those purposes; subsequently, it must be disposed of securely (unless the individual consents to further PII retention and use).
6. Accuracy: PII must be as accurate and complete as possible to satisfy the purposes for which it’s used.
7. Safeguards: PII must be safeguarded against theft, loss and unauthorized access, use and modification.
8. Openness: Organizations must ensure that policies and procedures related to their management of personal data are easily accessible to individuals in language that is generally understood.
9. Individual Access: Upon request, individuals shall be informed of the existence, use, and disclosure of their PII and be granted access to it. Individuals may challenge the completeness of the information and have it amended. The only exception to this principle is when the information cannot be disclosed for legal or security reasons.
10. Challenging Compliance: An individual may challenge an organization’s compliance with PIPEDA directly through its Privacy Officer.

PIPEDA and Data Destruction

Fair Information Principle 5 stipulates that PII in any form no longer serving its specifically intended purposes must be disposed of securely, and that any information retained for statistical purposes must be rendered anonymous. Organizations should have a comprehensive plan addressing the PII life cycle that mandates (through proprietary or third-party means) adequately secure data destruction. Should destruction of electronic devices be necessary, one person should be assigned responsibility.

Organizations may use properly credentialed third-party vendors for data destruction and disposal, although the organizations are responsible for verifying results. Organizations must ensure that the third-party vendor used has comprehensive plans for both secure transportation and transmission of sensitive data to/from their facility, as well as comprehensive destruction plans. Ideally, the organization would have the capability to monitor third-party data destruction and conduct periodic reviews and audits. Of course, the most secure method is to utilize in-house data destruction.

Acceptable methods of data destruction are dependent on the media. Hard copies of data must be destroyed to the point of impossible recovery. Acceptable methods include disintegration, incineration, pulverization, melting, and shredding. Electronic copies of data must be destroyed through complete deletion without means of simple recovery, complete overwriting with non-sensitive data, or degaussing (for magnetic media only).

When being completely destroyed, all media containing PII should be disposed of in accordance with the parameters defined in internationally recognized data destruction guidelines from DIN Standard 66399. Materials classified within the DIN Standard are:

• Original-sized physical media (e.g., paper, printing plates—classified as “P”)
• Reduced-sized physical media (e.g., microfilm—classified as “F”)
• Optical media (e.g., CDs or Blu-Ray—classified as “O”)
• Magnetic data devices (e.g., payment cards and floppy disks—classified as “T”)
• Hard disk drives (classified as “H”)
• Electronic data devices (e.g., USB drives and SSDs—classified as “E”)

For each media classification, DIN Standard 66399 outlines security measures from 1 (lowest level: reproduction of destroyed data requires little effort) through 7 (highest level: reproduction of destroyed data is impossible given current state of technology) that have associated data-destruction specifications.

When procuring third-party vendors or machinery for data destruction, it’s imperative you ensure compliance with, and adherence to, the appropriate security ratings and PIPEDA regulations. Companies like SEM provide sophisticated data destruction technology solutions to keep your organization in compliance with PIPEDA and other global security standards.