Canada Personal Information Protection and Electronic Documents Act | PIPEDA

PIPEDA sets out 10 fair information principles which are as follows

Pointer

Accountability: organizations should appoint someone to be responsible for compliance.

Pointer

Identifying purposes: organizations must define the purpose for collecting personal information.

Pointer

Consent: organizations must inform the data subject of the collection, use, and disclosure of personal information.

Pointer

Limiting collection: Personal data is categorized into general personal data and specific personal data under the PDP law.

Pointer

Limiting use, disclosure, and retention:organizations must not use or disclose personal information for a purpose different from the purpose it was collected for, except under certain circumstances.

Pointer

Accuracy: organizations must keep personal information accurate.

Pointer

Safeguards: organizations must protect personal information against loss or theft.

Pointer

Openness: privacy policy and practices must be understandable and easily available.

Pointer

Individual access:data subjects have a right to access the personal information an organization holds about them.

Pointer

Resource:organizations must develop accessible complaint procedures.

The Trust Challenge

Key obligations and consequences

Pointer

Understand whether and when PIPEDA affects you. If you are handling personal information in the course of commercial activities in Canada, PIPEDA normally applies.

Pointer

The main exceptions are for activity within a province that has its own laws on personal information, and for non-business groups carrying out their main purpose (such as charity work or political campaigning.)

Pointer

Understand the key requirements: you must get specific, informed consent from the individual to use information for a specific purpose, you must let them see and if necessary correct the information, and you must safeguard the information.

Pointer

Designate a senior person from your organization to take responsibility for PIPEDA compliance.

Pointer

Develop clear policies and procedures to make sure you follow the 10 principles of PIPEDA, bearing in mind these principles are part of the law rather than general guidelines. Have a Privacy Policy to disclose your policies and procedures.

Pointer

Keep records of the purpose for which you gather information, the consent you've gathered, the ways in which you use or share the information, and when you should dispose of it.

Pointer

Make sure individuals know how you handle information, how they can access and correct it, and how they can complain if they think you've breached PIPEDA. Make sure you have systems in place to deal with any of these requests or complaints.

Pointer

Never destroy information after a valid access request, retaliate against an employee's legitimate behavior in relation to PIPEDA, or obstruct any investigation into alleged breaches. These are all criminal offenses.

The Trust Challenge

Key Challenges in brief:

  • Privacy notices:-
    The purposes for which personal information is collected must be identified by the organization at or before the time the information is collected.
  • Rights to access information:-
    Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An organization shall respond to an individual’s request within a reasonable time and at minimal or no cost to the individual. The requested information shall be provided or made available in a form that is generally understandable. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

An individual may withdraw consent to the collection, use and disclosure of personal information at any time, subject to legal or contractual restrictions and reasonable notice. If an individual withdraws consent to the collection, use and disclosure of personal information and/or if the purpose of collection has been fulfilled, then the organization should delete such information, in particular, where requested by the individual in question.

An organization must report any breach of security safeguards involving personal information under its control to the Privacy Commissioner if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual. Unless otherwise prohibited by law, an organization shall notify an individual of any breach of security safeguards involving the individual’s personal information under the organization’s control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual.

PIPEDA does not contain any specific restrictions related to cross-border data flows. However, all transfers of personal information to a third-party processor, whether within Canada or cross-border, are subject to the “accountability” principle under PIPEDA. Specifically, an organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.

Win-Win Situation

Solutions

Our AI-based, patented solution, TurtleShield PI (Privacy Intelligence) discovers all personal and sensitive data in structured and unstructured data systems across on-premises and multi-cloud environments. TurtleShield DI (Data Inventory) enables organizations to inventory & map their entire “Data footprint”, enabling them to protect what matters the most.

Often there are silos within entities or business and IT teams and it is challenging to get a full picture of data going outside organization and which is coming into organization, especially when data is shared with third parties, vendors, business partners and much more. Our TurtleShield PI (Privacy Intelligence) creates a data map based on your “data sharing”, to facilitate you to take action on it.

TurtleShield DM (Data Minimization) helps businesses minimize excess data and adhere to data minimization principle. This is data hygiene control and we are approaching it from a risk reduction and compliance perspective. We scan large data sets to scan for excess data using Machine Learning and find out excess data including personal data. This can eliminate operational inefficiencies and save cost by removing the unwanted data and legal cost of having it with respect to regulatory compliance.

With TurtleShield RTBF (Right to Be Forgotten) provides the businesses the capabilities to comply with mandatory deletion of personal data by providing the capabilities to delete the data on request along with the validation of the deletion.

Search capability in large datasets to fulfill data subject requests in totality and at rapid space. Assumption that data only exists in databases and nowhere else is often not reality as customer data exists in many sources. Using Machine learning and AI we crawl across data sources and predict where PII can exist.

The Trust Challenge

Key Obligations & Consequences

Pointer

Understand whether and when PIPEDA affects you. If you are handling personal information in the course of commercial activities in Canada, PIPEDA normally applies.

Pointer

The main exceptions are for activity within a province that has its own laws on personal information, and for non-business groups carrying out their main purpose (such as charity work or political campaigning.)

Pointer

Understand the key requirements: you must get specific, informed consent from the individual to use information for a specific purpose, you must let them see and if necessary correct the information, and you must safeguard the information.

Pointer

Designate a senior person from your organization to take responsibility for PIPEDA compliance.

Pointer

Develop clear policies and procedures to make sure you follow the 10 principles of PIPEDA, bearing in mind these principles are part of the law rather than general guidelines. Have a Privacy Policy to disclose your policies and procedures.

Pointer

Keep records of the purpose for which you gather information, the consent you've gathered, the ways in which you use or share the information, and when you should dispose of it.

Pointer

Make sure individuals know how you handle information, how they can access and correct it, and how they can complain if they think you've breached PIPEDA. Make sure you have systems in place to deal with any of these requests or complaints.

Pointer

Never destroy information after a valid access request, retaliate against an employee's legitimate behavior in relation to PIPEDA, or obstruct any investigation into alleged breaches. These are all criminal offenses.

The Trust Challenge

Key Challenges in brief:

Pointer

Fulfillment of Data Subject Rights

  • Privacy notices:-
    The purposes for which personal information is collected must be identified by the organization at or before the time the information is collected.
  • Rights to access information:-
    Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An organization shall respond to an individual’s request within a reasonable time and at minimal or no cost to the individual. The requested information shall be provided or made available in a form that is generally understandable. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
Pointer

Consent Requirement

An individual may withdraw consent to the collection, use and disclosure of personal information at any time, subject to legal or contractual restrictions and reasonable notice. If an individual withdraws consent to the collection, use and disclosure of personal information and/or if the purpose of collection has been fulfilled, then the organization should delete such information, in particular, where requested by the individual in question.

Pointer

Data Breach Notification

An organization must report any breach of security safeguards involving personal information under its control to the Privacy Commissioner if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual. Unless otherwise prohibited by law, an organization shall notify an individual of any breach of security safeguards involving the individual’s personal information under the organization’s control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual.

Pointer

Cross Border Data Transfer

PIPEDA does not contain any specific restrictions related to cross-border data flows. However, all transfers of personal information to a third-party processor, whether within Canada or cross-border, are subject to the “accountability” principle under PIPEDA. Specifically, an organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.

Win-Win Situation

Solutions

Pointer

Data discovery, inventory and mapping: Our AI-based, patented solution, TurtleShield PI (Privacy Intelligence) discovers all personal and sensitive data in structured and unstructured data systems across on-premises and multi-cloud environments.
TurtleShield DI (Data Inventory) enables organizations to inventory & map their entire “Data footprint”, enabling them to protect what matters the most.

Pointer

Third party Privacy Intelligence (monitors third party sharing): Often there are silos within entities or business and IT teams and it is challenging to get a full picture of data going outside organization and which is coming into organization, especially when data is shared with third parties, vendors, business partners and much more. Our TurtleShield PI (Privacy Intelligence) creates a data map based on your “data sharing”, to facilitate you to take action on it.

Pointer

Data Minimization: TurtleShield DM (Data Minimization) helps businesses minimize excess data and adhere to data minimization principle. This is data hygiene control and we are approaching it from a risk reduction and compliance perspective. We scan large data sets to scan for excess data using Machine Learning and find out excess data including personal data. This can eliminate operational inefficiencies and save cost by removing the unwanted data and legal cost of having it with respect to regulatory compliance.

Pointer

Right to be Forgotten (RTBF) with Assured Deletion: With TurtleShield RTBF (Right to Be Forgotten) provides the businesses the capabilities to comply with mandatory deletion of personal data by providing the capabilities to delete the data on request along with the validation of the deletion.

Pointer

Enable Data subject rights with cost savings and compliance in totality: Search capability in large datasets to fulfill data subject requests in totality and at rapid space. Assumption that data only exists in databases and nowhere else is often not reality as customer data exists in many sources. Using Machine learning and AI we crawl across data sources and predict where PII can exist.

Featured News & Blogs

Be the first to catch our latest updates,
happenings and more.

Follow us