Understanding Canada's Personal Information Protection and Electronic Documents Act—the cornerstone of privacy rights for individuals and businesses.
Your personal information deserves protection across all commercial activities
Access, correct, and control your data with confidence under federal law
Organizations must earn and maintain your consent for data use
PIPEDA is built on these fundamental privacy principles that govern how organizations handle personal information
Organizations are responsible for personal information under their control and must designate an individual accountable for compliance.
The purposes for which personal information is collected must be identified at or before the time of collection.
Knowledge and consent of the individual are required for the collection, use, or disclosure of personal information.
Collection of personal information must be limited to what is necessary for identified purposes.
Personal information shall not be used or disclosed for purposes other than those consented to, except as required by law.
Personal information must be as accurate, complete, and up-to-date as necessary for the purposes for which it is used.
Security safeguards appropriate to the sensitivity of the information must protect personal information.
Organizations must make information about their policies and practices relating to personal information readily available.
Upon request, individuals must be informed of the existence, use, and disclosure of their personal information.
Individuals can challenge an organization's compliance with these principles to the designated accountability officer.
The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada's federal privacy law for private-sector organizations. It became law in April 2000.
PIPEDA sets out the ground rules for how businesses must handle personal information in the course of commercial activity. It applies to federally regulated organizations and private-sector organizations in provinces without substantially similar privacy legislation.
The law gives individuals the right to access and request correction of personal information that organizations collect, use, or disclose. It also requires organizations to obtain an individual's consent when they collect, use, or disclose their personal information.
Personal information includes any factual or subjective information, recorded or not, about an identifiable individual. This encompasses information in any form: biographical, biological, historical, transactional, locational, or related to the individual's identity.
The Office of the Privacy Commissioner of Canada investigates complaints, conducts audits, and promotes understanding of PIPEDA. Organizations found in violation may face consequences including orders to change practices, publication of findings, and in cases of wilful violations, fines up to $100,000.
Understanding and implementing PIPEDA requirements protects both your customers and your business