PIPEDA Checklist Part 1

The Personal Information Protection and Electronic Document Act (PIPEDA) is a regulatory law that applies to private sector organizations that collect personal information in Canada. It’s designed to ensure the protection of personal information in the course of commercial business in Canada. To help companies maintain compliance with this regulation we have put together a PIPEDA checklist based on the Office of the Privacy Commissioner’s official guidelines:

Principle 1 Accountability

Have a privacy representative: You need to appoint at least one person in the organization to be accountable for your organization’s personal information handling policies and practices.

Have privacy policies and procedures: You should have clear instructions on how personal information should be handled within the company.

Ensure accountability for organization and staff: Give your sentient management support and authority to intervene on privacy issues within the company.

Inform the public: Communicate the public on your policies and practices around handling personal information.

Be responsible for third parties that handle your company information: Be aware and hold your third parties responsible for upholding your data privacy standards.

Principle 2 Identify Purpose

In this step you need to ensure you have a clear purpose for all of the information that you collect at or before the information is collected.

Identify the purposes: Know exactly why you are collecting personal information and be sure not to collect anything above what is needed.

Document the purpose (in writing): Clearly record all the reasons why you collect any piece of personal information.

Notify customers before you collect the information: Be sure to notify customers of why their information is being collected before taking the information from them.

Obtain consent for new uses of the customers information: If you collect a piece of information for a specific purpose and now you want to use that information for a new purpose, then you need to inform your customers of the change of purpose and give them the opportunity to withdraw their consent.

Principle 3 Consent

The consent of an individual is required for the collection, use and disclosure of personal information.

Fulfill the knowledge requirement: (customers must know why the information is being collected before giving consent). It must be clear and understandable by the normal person.

Fulfill the consent requirement: Ensure that all customers give their consent for collection, use or disclosure of personal information unless an exception applies from section 7 of PIPEDA.

Choose the appropriate form of consent: There are four types of consent (express, implied, opt-in, opt-out) Be sure to use express opt-in for anything that involves sensitive personal information. Implied consent should only be used when intended uses are obvious, if you are unsure you can find guidelines on picking the right type of consent here. When in doubt, use express opt-in.

Methods of obtaining consent: For application forms make sure the purposes for collection are clearly stated. For checkboxes make sure to identify the other organizations by name, state the purpose clearly and as a best practice use only one box either a “yes” for express opt-in or a “no”, which means consent is not given.

Provide options for Withdrawal of Consent: Provide a convenient way for customers to withdraw their consent and make sure they are aware of this option at the time they give consent. Lastly, before or at the time they withdraw consent, make sure they are aware of the implications.

Principle 4 Limit Collection

Collection of personal information should be limited to what is necessary for business purposes and should be collected by fair and lawful means.

Review Collection Practices: Collect information by lawful means, collect only what is necessary and make a distinction between required and optional information. Where possible make sure of anonymized or non-personal information.

Document Collection Practices: Document your collection practices, your sources of information (if not from the customer) and establish procedures that your staff will follow when collecting information.

Obligatory vs Optional Information: At the time of collection ensure customers know what information is required vs optional information.

Principle 5 Limiting Use, Disclosure and Retention

Personal information should only be used or disclosed for the purposes for which it was collected, except when consenting to by the individual or required by law. Personal Information should only be retained as long as necessary for the fulfilment of those purposes.

Limiting Use and Disclosure: Only use and disclosure information in accordance with the purposes identified when it was collected. Make sure that all staff handling the personal information understand and comply with these limitations.

Retention and Destruction: Make sure that once personal information is no longer needed for business purposes that it is destroyed using secure methods.

How to get more free content

If you like this article and would like to read more of our content for cybersecurity insights, tips and tricks feel free to follow us on our social media. If you’re a struggling business owner who needs help in assessing their business’s cybersecurity posture feel free to take advantage of our free introductory assessment and we’ll help you figure out a game plan for keeping your company safe.