The Personal Information Protection and Electronic Document Act (PIPEDA) is a regulatory law that applies to private sector organizations that collect personal information in Canada. It’s designed to ensure the protection of personal information in the course of commercial business in Canada. To help companies maintain compliance with this regulation we have put together a PIPEDA checklist based on the Office of the Privacy Commissioner’s official guidelines:
Principle 6 Accuracy
Personal Information should be accurate, complete and as up-to-date as it needs to be for the purposes it will be used.
Determine Accuracy Needs: Identify how accurate your information needs to be to fulfill it’s business purpose. Accurate information is necessary when outdated information could negatively influence a decision made about a customer or harm the customer.
Principle 7 Safeguards
Personal Information must be protected by security safeguards appropriate to the sensitivity of the information.
Establish an information security policy: Develop policy and procedures for your information security practices for your organizations.
Physical Safeguards: Safeguards to protect the physical storage of information assets.
Organizational Safeguards: Organizational safeguards that govern security within an organization.
Technological Safeguards: Safeguards to protect your organization’s digital assets
Security Awareness: Employees should be trained on the importance of maintaining security and privacy of an organization. Security awareness training should be performed regularly.
Secure Disposal: Information should be disposed of in a secure manner that will prevent unauthorized people from getting access to that information.
Telework & Working outside the Office: Develop formal procedures for employees that need to remove personal information outside of the company.
Secure Transmission by Fax: Look for more secure methods than fax for sending information and if you are unable to switch, be sure to secure it as best as possible.
Principle 8 - Openness
Organization’s are responsible for making information about it’s policies and procedures relating to personal information readily available to individuals.
Develop Information for the Public: Develop literature that can be accessed by the public on your company’s policies and procedures around personal information and be sure to include how customers may withdraw consent.
Make information available: Make the information available to the public without requiring individuals to make an unreasonable effort to find it. Make it available in a variety of ways to accommodate your customers and clients as much as possible.
Web Site Information: While a website is a good place to reach a lot of your customers, it shouldn’t be the only way for someone to get information about your practices.
Principle 9 - Individual Access
Upon request, any individual should be informed of the existence, use and disclosure of all of their personal information and shall be given access to that information. The individual also has the right to challenge the accuracy and completeness of the information and have it amended.
Preparing for Access Requests: Ensure that your systems can facilitate the retrieval and accurate reporting of an individual's personal information, including third-party disclosures.
Processing Access Requests: Respond to access requests as quickly as possible and in any case, within 30 days of request with minimal or no cost to the requester. Ensure that all the information provided is presented in understandable terms.
Amending Personal Information: Allow requesters to challenge the accuracy and completeness of their information, if they can demonstrate that the information is false amend the information in question.
Denial of Access: If you have a reason to deny access under Section 9 of PIPEDA, you must respond to the request within 30 days and notify them of the reason for the denial. Retain information that is subject of a request as long as necessary to allow the requester to exhaust any recourse under PIPEDA.
Extension of Time Limits: You should reply to any access request within 30 days but if this isn’t possible, you can get an extension in a few cases such as if it would interfere with activities in your organization, additionally time is needed to conduct consultations or additional time is needed to convert personal information to an alternative format. You should respond to the requester within 30 days to let them know of the delay and their right to complain to the OPC.
Principle 10 Challenging Compliance
An individual has the right to challenge whether an organization is in compliance with the first 9 principles of PIPEDA to the designated individual or individuals accountable for the organization’s compliance.
Implementing Compliance Challenge Procedures: Develop procedures for receiving and responding to inquiries and complaints. Make sure front line employees and managers are aware of these policies & procedures and can tell the difference between an inquiry and a complaint under the law and can refer them to the designated privacy officer. Lastly, make it easy for customers to file complaints with your organization.
Receiving Complaints: You should record the date of the complaint, the nature of the complaint and provide confirmation of receipt as soon as possible.
Complaint Investigations: You must investigate all complaints received and conduct the interview without delay once receiving the complaint. Once the investigation is completed, notify the complainant about the results of the investigation, any remedial action and any further recourse if they are unsatisfied with the outcome.
How to get more free content
If you like this article and would like to read more of our content for cybersecurity insights, tips and tricks feel free to follow us on our social media. If you’re a struggling business owner who needs help in assessing their business’s cybersecurity posture feel free to take advantage of our free introductory assessment and we’ll help you figure out a game plan for keeping your company safe.