Personal Information Protection and Electronic Documents Act

The "Personal Information Protection and Electronic Documents Act" (abbreviated PIPEDA or PIPED Act) is a Canadian law relating to data privacy. It governs how private-sector organizations collect, use and disclose personal information in the course of commercial business. In addition, the Act contains various provisions to facilitate the use of electronic documents. PIPEDA was passed in the late 1990s to promote consumer trust in electronic commerce. The act was also intended to reassure the European Union that the Canadian privacy law was adequate to protect the personal information of European citizens.

PIPEDA incorporates and makes mandatory provisions of the Canadian Standards Association's Model Code for the Protection of Personal Information, developed in 1995.

"Personal Information", as specified in PIPEDA, is as follows: information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization.

The law gives individuals the right to
* know why an organization collects, uses or discloses their personal information;
* expect an organization to collect, use or disclose their personal information reasonably and appropriately, and not use the information for any purpose other than that to which they have consented;
* know who in the organization is responsible for protecting their personal information;
* expect an organization to protect their personal information by taking appropriate security measures;
* expect the personal information an organization holds about them to be accurate, complete and up-to-date;
* obtain access to their personal information and ask for corrections if necessary; and
* complain about how an organization handles their personal information if they feel their privacy rights have not been respected.

The law requires organizations to
* obtain consent when they collect, use or disclose their personal information;
* supply an individual with a product or a service even if they refuse consent for the collection, use or disclosure of your personal information unless that information is essential to the transaction;
* collect information by fair and lawful means; and
* have personal information policies that are clear, understandable and readily available.

Though the Act requires that affected organizations comply with the CSA Model Code for the Protection of Personal Information, there are a number of exceptions to Code where information can be collected, used and disclosed without the consent of the individual. Examples include for investigations related to law enforcement or in the event of an emergency. There are also exceptions to the general rule that an individual shall be given access to his or her personal information.

Implementation

The implementation of PIPEDA occurred in three stages. [ [http://www.privcom.gc.ca/legislation/02_06_02a_e.asp Personal Information Protection and Electronic Documents Act - Implementation Schedule - Privacy Commissioner of Canada ] ] Starting in 2001, the law applied to federally regulated industries (such as airlines, banking and broadcasting). In 2002 the law was expanded to include the health sector. Finally in 2004, any organization that collects personal information in the course of commercial activity was covered by PIPEDA, except in provinces that have "substantially similar" privacy laws. Four provincial privacy laws have been declared by the federal Governor in Council to be substantially similar to PIPEDA:

* An Act Respecting the Protection of Personal Information in the Private Sector (Quebec).
* The Personal Information Protection Act (British Columbia).
* The Personal Information Protection Act (Alberta).
* The Personal Health Information Protection Act (Ontario).

Remedies

PIPEDA does not create an automatic right to sue for violations of the law's obligations. Instead, PIPEDA follows an ombudsman model in which complaints are taken to the Office of the Privacy Commissioner of Canada. The Commissioner is required to investigate the complaint and to produce a report at its conclusion. The report is not binding on the parties, but is more of a recommendation. The Commissioner does not have any powers to order compliance, award damages or levy penalties. The organization complained about does not have to follow the recommendations. The complainant, with the report in hand, can then take the matter to the Federal Court of Canada. The responding organization cannot take the matter to the Courts, because the report is not a decision and PIPEDA does not explicitly grant the responding organization the right to do so.

PIPEDA provides, at section 14, the complainant the right to apply to the Federal Court of Canada for a hearing with respect to the subject matter of the complaint. The Court has the power to order the organization to correct its practices, to publicise the steps it will take to correct its practices and to award damages.

External links

* [http://www.privcom.gc.ca/legislation/02_06_01_01_e.asp Personal Information Protection and Electronic Documents Act]
* [http://privacyforbusiness.ic.gc.ca/epic/internet/inpfb-cee.nsf/en/hc00005e.html PIPEDA Overview. Industry Canada's guide for business]
* [http://wearcam.org/intelligarde_subject_access_request.htm Example of a PIPEDA request for video surveillance recordings.]
* [http://www.privacylawyer.ca/blog/index.html The Canadian Privacy Law Blog:] A regularly updated blog on issues related to privacy law and PIPEDA written by David T.S. Fraser, a Canadian privacy lawyer.

References