Canada’s PIPEDA: Does it affect me?

If you’re a Canadian or someone who does business in Canada, the short answer is yes. The Personal Information Protection and Electronic Documents Act or PIPEDA holds organizations in Canada accountable for the protection of all collected personally identifiable information (PII) and gives Canadians recourse if ever their PII is compromised.

The more relevant question to ask now is, “how does PIPEDA affect me?” Generally speaking, regulations affect two sets of people, namely the parties who are regulated and the parties who the regulations protect. In the case of PIPEDA, the former consists of business operators in Canada, while the latter consists of Canadian consumers. Let’s take a look at each of them briefly.

How PIPEDA affects the private sector

The collection of PII is a generally accepted business practice. While not necessary for all business transactions (think buying groceries from the supermarket), PII is obtained by many companies to:

• Create customer accounts that facilitate repeat business
• Establish identity and logistics when making reservations
• Establish sender and/or recipient roles when delivering goods

Consumers trust companies with their PII to establish relationships with them, which is why the latter has the responsibility to protect that information. For instance, hotels and resorts know that their guests come to them to relax and be pampered, but the unauthorized disclosure of guest lists will surely make vacationing visitors worry why people would want to know where they are.

Hospitals and caregivers must also keep the PII of their patients close to their chests because social stigma and unease surround particular diseases or conditions. And, of course, banks and financial institutions must always remain vigilant against identity thieves who drain funds, make purchases, or take out loans masquerading as other people.

This is why every business that collects PII — regardless of size — is required by PIPEDA to do the following:

1. Designate or hire someone as your privacy officer, i.e., someone who’ll implement a privacy policy and incident plan, initiate security training and awareness programs, work with security experts to perform preventive measures, and liaise with regulators during data breach investigations
2. Review and update contracts and agreements for PIPEDA compliance
3. Implement access management controls and perform regular data audits
4. Come up with and regularly update a data breach response plan

If you’re the proprietor of a small- to medium-sized business (SMB), you’ll most likely have to partner up with a managed IT services provider (MSP) that has extensive experience in regulations compliance. You might think that you’ll save money by striking out on your own, but staying in line with laws that can be amended over time may cost you a lot of time and effort, not to mention fines of up to $100,000 per violation.

How PIPEDA affects the everyday consumer

If an individual finds that an organization has been remiss in its obligation to protect their PII, they are encouraged to resolve their concerns directly with that organization first. However, if the concern is not resolved, the individual can file their complaints with the Office of the Privacy Commissioner of Canada (OPC).

Depending on the validity of the case and the willingness of the organization to cooperate with the OPC, complaints can be resolved easily or reach as far as the federal court. What this essentially means is that individuals are no longer powerless when it comes to addressing misdealings with corporations. Consumers can now rely on their government to have their backs when it comes to protecting their privacy.

PIPEDA is a necessary piece of Canadian legislation that emphasizes the value of trust between transacting parties and ultimately fosters continued stability in the economy. Businesses in Toronto trust XBASE Technologies to help them comply with shifting legal landscapes in Canada and the rest of the world. Drop us a line to learn how you too can leverage our regulatory compliance experience and expertise today.