The Personal Information Protection and Electronic Documents Act (PIPEDA) is a main federal law that relates to privacy legislation for the private sector in Canada. It focuses on how private sector organizations would collect, use, and reveal information in the course of commercial business. Furthermore, this Act contains several provisions to enable the use of electronic documents.
It was on 13 April 2020 when PIPEDA became law and started promoting consumer trust in electronic commerce. It has extended its reach and now also includes industries like the healthcare and banking sector.
The aim of the PIPEDA is “to govern the collection, use, and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for the purposes that a reasonable person would consider appropriate in the circumstances."
The Act was planned to reassure the European Union that the Canadian privacy law was adequate to secure the information of European citizens. In line with section 29 of PIPEDA, part I of the act must be checked by parliament every five years.
It makes mandatory provisions of the Canadian Standards Association’s Model Code for the protection of personal information. But several exceptions to the code exist where information is saved, collected, and revealed without the consent of the individual.
Under this Act, any personal or confidential information, that is related to federal, foreign, or provincial, can be shared to investigations without taking the permission of the individual.
An Overview of PIPEDA
PIPEDA is classified into two parts: the requirements of the organization and the rights of the individual. It allows organizations to provide services to the individual even if he/she refuses the consent for the collection. Furthermore, it allows them to use or disclose personal information unless the data is essential to the transaction. The organizations have information policies that are clear, concise, and understandable.
The rights that PIPEDA gives to individuals include some major points like, they can ask the organization why it is collecting and disclosing their PII (Personal Identifiable Information).
1. They should know who is responsible for keeping their information secure. They expect organizations to take security measures like automated vendor risk scoring to protect any information.
2. The individuals can obtain access to their information and request corrections if necessary.
3. They can also complain if they feel that organization is not handling their personal information as per the rights assigned to it.
4. They expect that organizations will not use their information for other purposes to which they are not assigned. Also, the organization should ensure to keep their data accurate and up-to-date.
How is PIPEDA Implemented?
PIPEDA is implemented in three stages. It was in 2001 when the law was applied to federally regulated industries like banking, broadcasting, and airlines. The next year, the law was expanded and included the healthcare sector as well.
By 2004, the organizations that collect personal information were covered by PIPEDA. As of 2018, seven provinces have privacy laws that were declared by the Governor in Council and are similar to PIPEDA. They are:
1. An Act Respecting the Protection of Personal Information in the Private Sector (Quebec)
2. The Personal Information Protection Act (British Columbia)
3. The Personal Information Protection Act (Alberta)
4. The Personal Health Information Protection Act (Ontario)
5. The Personal Health Information Privacy and Access Act (New Brunswick)
6. The Personal Health Information Act (Newfoundland and Labrador)
7. The Personal Health Information Act (Nova Scotia)
Ten Major Principles of PIPEDA Compliance
These principles represent the foundation of PIPEDA and are specifically detailed in the legislation. They share a common rule to properly comply with PIPEDA and collect information at first before taking action. These principles are as follows:
An organization should make at least one person responsible for looking out for the information that has been transferred for further procedures. He/she should have control to check the ins and outs of the individual’s information.
2. Identifying Purposes
The organization should identify the purpose for which the information is collected before taking any action. The person designated to do this should tell why the information is collected and must take necessary actions to avoid it for different purposes.
The designated person should get consent from the individual before collecting information. Make sure that he/she understands what giving consent means, and he/she should not be tricked into giving it.
4. Limiting Collection
The information that is collected should be strictly necessary for the purposes identified. Also, it should make sure that data is collected by lawful means. Reviewing the data collected and information isn’t required.
5. Limiting Use, Disclosure, and Retention
Personal Information shall not be disclosed for other purposes and should be retained until the purpose is fulfilled.
The responsible person should check that the information gathered is accurate and up-to-date and is limited to the purpose it is used. It should be up-to-date to minimize the risk of using old information and to make the decision regarding the individual.
The data collected shall be protected by security safeguards and should be appropriate to the sensitivity of the information. It should be protected against unauthorized access, copying, and modification.
9. Individual Access
If a person requests regarding their personal information, then you must respond whether you hold any information about them or not. If you have data about him/her, tell what kind of it is and how you would use it.
10. Challenging Compliance
You must receive, respond, and consider a complaint that you aren’t complying with any principles. Take action if you find it justified. Also, tell what action and measures are taken if they aren’t satisfied with your action.
Who All Are Subjected to PIPEDA Compliance
Organizations in Northwest Territories are considered FWUBs and are covered by PIPEDA. It is not applied to provincially regulated organizations with the province of Quebec.
Furthermore, it is not applied to Alberta or British Columbia. Like HIPAA Compliance
is applied to the healthcare sector, PIPEDA is a must for private organizations to collect data.
How HIPAA Differs from PIPEDA
Be it healthcare or any other industry, in Canada, PIPEDA is applied to every field, regardless of the entity. Once an organization has collected data, it becomes responsible for the safety of that data. Each Canadian has its rule and regulations as the values of PIPEDA remain intact.
The data collected by PIPEDA can be stored abroad. PIPEDA protects personally identifiable information such as ID numbers, income, medical records, and other data. It doesn’t cover information managed by the federal government organizations that are listed under the Privacy act and territorial governments and their agents.
Whereas, HIPAA is a federal law that governs the security of personal health information for a few sectors in the healthcare industry. These sectors include health exchange information and healthcare providers. HIPAA protects information that is received by the employer, life insurer, school or university, and more.
Several things are considered with PIPEDA because managing personal information is a broad area for any business. If you are managing information in Canada, then PIPEDA is applied to you. Understanding the key requirements is mandatory when you are collecting anyone’s information. When you are following PIPEDA, then you should assure the person that his/her data won’t be disclosed anywhere without his/her permission.
At Covetus, we build and test several healthcare applications and have vast experience in the healthcare domain. Be it a healthcare mobile app development
or healthcare product strategy: our process is explicitly designed and to make your project successful.