SecurePrivacy Logo

Personal Information Protection and Electronic Documents Act (PIPEDA)

View Law Text
Maximum Fine
CAD $100,000
Scope
Federal
Principles
10 Principles
Jurisdiction
Canada

Need Help with PIPEDA Compliance?

Get expert guidance on implementing PIPEDA requirements and ensuring ongoing compliance for your organization.

Get Expert Help

Overview

PIPEDA is Canada's federal privacy law for private-sector organizations. It sets out ground rules for how businesses must handle personal information in the course of their commercial activities.

Key Facts

  • Enacted in 2000, fully in effect since 2004
  • Applies to private sector organizations
  • Overseen by Privacy Commissioner of Canada

Privacy Principles

Accountability

Organizations are responsible for personal information under their control and must designate someone to be accountable for compliance.

Requirements

  • Designate privacy officer
  • Implement privacy policies
  • Train staff on privacy practices
  • Monitor compliance
  • Respond to inquiries and complaints

Examples

  • Appointing Chief Privacy Officer
  • Annual privacy audits
  • Regular staff training sessions
  • Documentation of privacy practices

Identifying Purposes

Organizations must identify the purposes for collecting personal information before or at the time of collection.

Requirements

  • Document collection purposes
  • Inform individuals of purposes
  • Limit collection to identified purposes
  • Notify of new purposes
  • Obtain consent for new uses

Examples

  • Privacy notices at collection points
  • Purpose statements in forms
  • Updates for new uses of data
  • Clear collection notices

Compliance Requirements

Privacy Management Program

Organizations must implement a comprehensive privacy management program.

Steps

  • Develop privacy policies
  • Establish governance structure
  • Create privacy procedures
  • Implement training program
  • Conduct regular assessments

Documentation

  • Privacy policy manual
  • Training materials
  • Assessment reports
  • Governance documents
  • Procedure guides

Breach Response Protocol

Organizations must have procedures for identifying and responding to privacy breaches.

Steps

  • Create breach response plan
  • Establish notification procedures
  • Set up response team
  • Document incidents
  • Review and update procedures

Documentation

  • Breach response plan
  • Notification templates
  • Incident reports
  • Team contact list
  • Review records

Third-Party Management

Organizations must ensure appropriate protection of personal information transferred to third parties.

Steps

  • Assess third parties
  • Implement contractual safeguards
  • Monitor compliance
  • Review data transfers
  • Document relationships

Documentation

  • Vendor agreements
  • Assessment reports
  • Monitoring logs
  • Transfer records
  • Compliance reports

Enforcement

Commissioner Powers

The Privacy Commissioner of Canada can investigate complaints and conduct audits.

Powers

  • Receive and investigate complaints
  • Conduct audits of organizations
  • Make recommendations
  • Publish findings
  • Seek court orders

Example Cases

Facebook Privacy Investigation
Recommendations for improved privacy practices
2019
Tim Hortons Location Tracking
Required changes to app privacy practices
2022

Court Remedies

The Federal Court can order organizations to change practices and award damages.

Powers

  • Order compliance with PIPEDA
  • Award damages to complainants
  • Publish corrective notices
  • Require privacy practice changes
  • Issue monetary penalties

Example Cases

Privacy Breach Class Action
Damages awarded to affected individuals
2020
Unauthorized Disclosure Case
Court-ordered privacy program improvements
2021