Is Your Business PIPEDA Compliant?

Since January 1st of 2004, Canadian businesses (traditional, online and paper-based) must comply with the privacy principles defined by the PIPEDA Act.

What is PIPEDA?

PIPEDA stands for Personal Information Protection and Electronic Documents Act. This act was put in place to regulate how employers can collect, disclose and use personal information gathered from their clients and employees. In the context of this act, “personal information” refers to any “information about an identifiable individual.” This type of information encompasses all factual or subjective info in any form, whether it is recorded or not. The following information is considered identifiable under PIPEDA:

  • Name
  • Address
  • Telephone number
  • Gender
  • Income
  • Blood type
  • Credit and loan records
  • Identification numbers (driver’s licence, provincial health card)
  • Sensitive information (medical history, ethnic or racial origin, religious beliefs, trade union memberships, sexual orientation, political beliefs)

Personal business information such as the name, business title, business address, telephone number and extension of an employee or any information contained on their business card is not considered identifiable information.

Does your business comply?

If you run a business that requires you to take sensitive information from clients, make sure that this information is protected. That may mean housing this data in a secure server or program that requires special access in order to view it. Furthermore, be upfront with your clients so that they know what you are using their personal information for. The same goes for employee information. As long as all personal information from clients and employees is securely stored and only used for the reasons it was collected, then your business probably complies with PIPEDA. The 10 principles below will give you an idea of what you need to do to ensure full compliance.

PIPEDA operates on the basis of 10 principles that employers must respect.

  1. Accountability: You must designate someone (along with yourself) who can be held accountable for complying with the act.
  2. Identifying purposes: You must specify why you are collecting personal information from your employees before you collect it.
  3. Consent: You need your employees’ consent to collect, use or disclose their personal information.
  4. Limiting collection: You can only collect personal information from your employees through fair and lawful means.
  5. Limiting use, disclosure and retention: You cannot disclose, use or retain personal information for anything other than the purposes you’ve identified during (#2) unless you are given permission from the employee.
  6. Accuracy: Employees’ personal information needs to be accurate, up to date and complete.
  7. Safeguards: All personal employee information you’ve collected must be secure and protected.
  8. Openness: Your personal information policies must be available for employees to peruse.
  9. Individual access: Employees should be granted access to their personal information.
  10. Challenging compliance: If an employee deems that you have violated PIPEDA, they have the right to challenge compliance with you or the other person you have designated as an accountable party.

Share To Amplify This Blog Post:
0 Comment

Leave a Reply