Organizations covered by the Personal Information Protection and Electronic Documents Act (PIPEDA) must obtain an individual’s consent when they collect, use or disclose that individual’s personal information. People have the right to access their personal information held by an organization. They also have the right to challenge its accuracy. Personal information can only be used for the purposes for which it was collected. If an organization is going to use it for another purpose, they must obtain consent again. Individuals should also be assured that their information will be protected by appropriate safeguards.
How the Act Applies
PIPEDA applies to the collection, use or disclosure of personal information in the course of a commercial activity.
A commercial activity is defined as any particular transaction, act, or conduct, or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fund-raising lists.
Some organizations and/or activities may be exempt from PIPEDA in provinces that have privacy legislation similar to PIPEDA. To date, Quebec, British Columbia and Alberta have adopted private sector legislation deemed substantially similar to the federal law. As well, Ontario, New Brunswick, Nova Scotia, and Newfoundland and Labrador have adopted substantially similar legislation with respect to personal health information.
Even in those provinces, PIPEDA continues to apply to all interprovincial and international transactions by all organizations subject to the Act in the course of their commercial activities as well as to federally regulated organizations such as banks, telecommunications and transportation companies.
What is “personal information”?
Under PIPEDA, personal information includes any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form, such as:
age, name, ID numbers, income, ethnic origin, or blood type;
opinions, evaluations, comments, social status, or disciplinary actions; and
employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs).
What is not covered by PIPEDA?
There are some instances where PIPEDA does not apply. Some examples include:
Personal information handled by federal government organizations listed under the Privacy Act
Provincial or territorial governments and their agents
Business contact information such as an employee’s name, title, business address, telephone number or email addresses that is collected, used or disclosed solely for the purpose of communicating with that person in relation to their employment or profession
An individual’s collection, use or disclosure of personal information strictly for personal purposes (e.g. personal greeting card list)
An organization’s collection, use or disclosure of personal information solely for journalistic, artistic or literary purposes
Unless they are engaging in commercial activities that are not central to their mandate and involve personal information, PIPEDA does not generally apply to:
not-for-profit and charity groups
political parties and associations.
Municipalities, universities, schools, and hospitals are generally covered by provincial laws. PIPEDA may only apply in certain situations.
What is a “federal work, undertaking, or business”?
This term includes “any work, undertaking or business that is under the legislative authority of Parliament”. While most federally regulated organizations would be captured under this definition, not all these types of organizations are federal works. For instance, insurance companies and credit unions may be subject to some federal regulation, but are considered to be within provincial jurisdiction and are not considered federal works under the Act. The Act defines a federal work, undertaking or business subject to Part 1 to include:
- airports, aircraft or airlines
- inter-provincial or international transportation by land or water
- offshore drilling operations
- radio and television broadcasting
- Note that this is not an exhaustive list. The fact that a company is federally incorporated does not always mean that it is a federal work, undertaking or business. If a company is subject to any part of the Canada Labour Code, it may be a federal work, undertaking or business.
Complaints to the Office of the Privacy Commissioner of Canada
An individual may complain to the organization in question or to the Office of the Privacy Commissioner of Canada about any alleged breaches of the law.
If there are reasonable grounds, the Commissioner may also initiate a complaint.
Whenever possible, the Office of the Privacy Commissioner of Canada seeks to resolve disputes through investigation, persuasion, mediation and conciliation. This approach can be less intimidating to complainants and less costly to business than going through the courts.
In some cases, where a complaint has the potential to be resolved quickly, it is referred to an early resolution officer.
The early resolution officer works with both parties to resolve the complaint. In some cases, an issue that would have taken months to resolve through the official complaint investigation process can be resolved in a matter of days.
If a resolution cannot be found, the complaint is then investigated and the Office of the Privacy Commissioner of Canada issues a report of findings.
The Commissioner makes recommendations, not orders. However there are provisions in PIPEDA that, in certain cases, allow complainants or the Privacy Commissioner to apply to the Federal Court for a hearing should they be unsatisfied with an outcome.
The Court may order an organization to change its practices and/or award damages to a complainant, including damages for any humiliation suffered.
The Commissioner may make public any information that comes to his knowledge in the performance or exercise of his duties or powers under the Act if considered it in the public interest to do so.
With reasonable grounds, the Commissioner may audit the personal information management practices of an organization.
Under PIPEDA, it is an offence to:
destroy personal information that an individual has requested;
retaliate against an employee who has complained to the Commissioner or who refuses to contravene Sections 5 to 10 of the Act; or
obstruct a complaint investigation or audit by the Commissioner or their delegate.
Organizations’ Responsibilities under the Act
Organizations must follow a code for the protection of personal information. This code is included in the Act as Schedule 1.
These principles are rooted in international data protection standards and are based on the Canadian Standards Association’s Model Privacy Code for the Protection of Personal Information. The code was developed with input from businesses, governments, consumer associations and other privacy stakeholders.