The Personal Information Protection and Electronic Documents Act (PIPEDA) is a new law that protects personal information in the hands of private sector organizations and provides guidelines for the collection, use and disclosure of that information in the course of commercial activity. The Act, based on ten privacy principles developed by the Canadian Standards Association, is overseen by the Privacy Commissioner of Canada and the Federal Court. As of January 1, 2004, all Canadian businesses are required to comply with the privacy principles set out by PIPEDA. The Act covers both traditional, paper-based and online business.
There are steps organizations must take to be privacy compliant. Under PIPEDA, personal information must be:
PIPEDA defines personal information as “information about an identifiable individual” that includes any factual or subjective information, recorded or not, in any form. For example, the following would be considered personal information:
name, address, telephone number, gender; identification numbers, income or blood type; credit records, loan records, existence of a dispute between a consumer and a merchant, and intentions to acquire goods or services.
Under PIPEDA personal information does not include the name, business title, business address, or business telephone of any employee, i.e. information on a business card.
The legislation also covers sensitive personal information, which may include health or medical history, racial or ethnic origin, political opinions, religious beliefs, trade union membership, financial, information and sexual preferences.