The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada’s set of privacy laws that pertain to how commercial entities manage the collection, use, and disclosure of personal information. This multi-part series equips Canadian businesses with the information they need to bring their organization into compliance with the laws. The first segment, Canadian Privacy Laws: PIPEDA and its core Principles in the Cloud, introduced readers to PIPEDA and discussed various concerns that businesses may face regarding the handling of personal information.
- PIPEDA And It’s Core Principles In The Cloud
- PIPEDA And Your Business – An Evaluation
- PIPEDA Compliance in the Canadian Cloud – An Evaluation
It is the responsibility of each business to be compliant with PIPEDA. It is crucial to conduct compliance assessments at each change in protocol, processes, or policies, and to fully understand all that is required of businesses in regard to PIPEDA. This is particularly crucial when moving to the cloud or when reviewing their cloud service agreement.
This second installment provides a checklist that aligns with the 10 Core Principles of PIPEDA, allowing business owners to determine if their organizations are PIPEDA compliant and suggest ways to bring companies into compliance.
Self-Assessment:
It is vital for Canadian businesses to review each principle and assess the criteria for that principle, ensuring that each is satisfactorily met. Criteria may be ranked Met, Not Met, or Partially Met. Partially met items should be noted and comments made regarding bringing it to a status of Met.
Once all items have been assigned a status, they should be ranked according to their likelihood to occur within the business versus the actual impact on the business. Business owners should then identify the ways that they are complying with PIPEDA, how it is being carried out, and any actions required to bring the business into compliance.
This evaluation, organized to accommodate the 10 Core Principles of PIPEDA, allow business owners to review current policies and procedures to determine if there are any areas where their company is not compliant. Under several of the Principles essential and non-essential information is mentioned. According to the PIPEDA, essential information is information that is required for primary business purposes while non-essential information is information that is voluntary and facilitates use for secondary purposes. The evaluation should be comprehensive in order to adequately assess any potential risk factors regarding non-compliance.
PIPEDA Evaluation for Business
The first step in creating a PIPEDA compliant business is to create an environment that can collect and manage the collected information appropriately. This requires appointing an individual or team to oversee all compliance issues including the actual collection and management. They are responsible for your company’s compliance with PIPEDA as well as privacy management, accountability, governance, and protection of any and all personal information collected by your company.
The next step is to determine the type of personal information that you will collect and the reason or reasons for collecting it. It is important that this is very detailed to include every type of information you plan to collect or do collect and exactly how it will be used and thoroughly document it in your privacy policies. Only collect the information you need to suit your purposes and only for as long as necessary.
You need to identify the types of personal information and how much is to be collected in order to fulfill your purpose(s), clearly distinguishing between essential and non-essential. If you collect any information that is not included in your privacy policies or if your use and purpose are outside of the parameters or your privacy policy, you could open your company to legal trouble and even government sanctions.
Within your privacy framework, you should clearly articulate that you are responsible for all personal information you control or hold, including information that is transferred to you via any third party for processing. Once your team is in place they can begin creating privacy policies for your company that reflect all of this. These policies should be easy to understand and comprehensive so that they cover all real and perceived privacy risks within your company regarding both your customers’ and your employees’ personal information.
These policies and procedures must be communicated to every member of your staff and explained to them in detail. Ideally, each member of your staff should receive their own copy that they must sign for to provide a confirmation of receipt.
When you collect personal information and a third party gains custody of it through appropriate channels, you employ contractual agreements in order to ensure that the information is covered by a comparable level of privacy protection during the time that it resides with the third party. Your team must verify that all third parties have successfully and sufficiently implemented the privacy controls that are stated and described in any contractual agreements.
Upon collecting personal information from your customers and clients you must have a system in place that allows them to consent or opt out of relinquishing that data. The form of consent may be expressed or implied but it should be commensurate with the level of sensitivity of the information. They must be fully informed regarding what information is collected, how it is collected, what it is used for, and if it will be or may be provided to a third party.
You must also provide to all individuals from whom you obtain personal information, the proper channels and procedures for gaining access to their information, for making changes to it, and for withdrawing their consent. If there are any new purposes that occur after the individual has provided consent, then that individual must be notified of its new purpose and consent must be obtained prior to using it or disclosing it as required by law. The framework for your privacy management should specify when updates are appropriate, based on uses and purposes defined for that information including the individual’s interests. Updates should be performed only when necessary to fulfill the purposes for which it was collected.
Security is another significant concern when collecting personal information. Part of your privacy policies should include the technical, physical, and administrative safeguards that you have in place for protecting personal information, in all its formats, against theft or loss, and unauthorized activities to include disclosure, modification, access, use, and copying.
10 Evaluative Questions for Businesses
1
|
Have I appointed an individual or team to manage all aspects of the company’s PIPEDA compliance to include the collection and management of personal information? |
2
|
Have I identified the types of information it will collect, the purposes for collecting this information, and have documented it in my privacy policies? |
3
|
Have I developed policies and procedures for how my company will collect and manage all personal information, both essential and non-essential, including the process for requesting access or making corrections to that information? |
4
|
Have I distributed copies of privacy policies and procedures to all employees within my company and reviewed the information with them to ensure that they fully understand the process? |
5
|
Have I provided my clients and customers with the necessary information regarding how their personal information is collected and managed, including the process for requesting access or making corrections to that information? |
6
|
Have I put contractual agreements in place and company policies to ensure that personal information shared with third parties is covered by a level of privacy protection that is comparable to my own company’s while the information is in the custody of the third party? |
7
|
Have I implemented a system that allows my customers and clients to consent to or opt out of the collection of their personal information with the form of consent being commensurate to the sensitivity of the information? |
8
|
Have I limited the type and amount of personal information that I collect to what is necessary for the identified purpose and collected information only by fair and lawful means? |
9
|
Have I put a policy in place that specifies when updates are appropriate, based on uses and purposes defined for that information including the individual’s interests and updates are performed only when necessary to fulfill the purposes for which it was collected? |
10
|
Have I ensured that I have in place and have incorporated into my privacy policy all technical, physical, and administrative safeguards I employ for protecting personal information, in all its formats, against theft or loss, and unauthorized activities to include disclosure, modification, access, use, and copying? |
Conclusion
This evaluation provides a comprehensive guide for bringing your company into compliance with PIPEDA. As you can see, transparency is a common thread throughout the Act, regarding how personal information is handled. As conduct your own evaluation, focus on items that are higher risks and easy to implement while identifying specific projects that will improve the implementation of your policy based on your assessment results. You can refer back to our PIPEDA overview that was the first part of this series.
The third segment in this series, “PIPEDA Compliance in the Canadian Cloud – An Evaluation” will include a guide that allows you to evaluate your current data collection, evaluate a new service provider when moving to the cloud, or evaluate your existing cloud provider. At the end of this series, you will have a clear understanding of what the PIPEDA is, how it relates to your business, and how your business can become compliant.
Leave a Reply
Want to join the discussion?Feel free to contribute!