Personal Information Protection and Electronic Documents Act
Encyclopedia
The Personal Information Protection and Electronic Documents Act (abbreviated PIPEDA or PIPED Act) is a Canadian
law relating to data privacy
. It governs how private sector
organizations collect, use and disclose personal information in the course of commercial business. In addition, the Act contains various provisions to facilitate the use of electronic document
s. PIPEDA became law on 13 April 2000 to promote consumer trust in electronic commerce
. The act was also intended to reassure the European Union
that the Canadian privacy law
was adequate to protect the personal information of European citizens
. In accordance with section 29 of PIPEDA, Part I of the Act ("Protection of Personal Information in the Private Sector") must be reviewed by Parliament every five years. The first Parliamentary review occurred in 2007.
PIPEDA incorporates and makes mandatory provisions of the Canadian Standards Association
's Model Code for the Protection of Personal Information, developed in 1995. However, there are a number of exceptions to the Code where information can be collected, used and disclosed without the consent of the individual. Examples include for reasons pertaining to national security or international affairs, or in the event of an emergency. Under the act, personal information can also be disclosed without knowledge or consent to investigations related to law enforcement, whether federal, provincial or foreign. There are also exceptions to the general rule that an individual shall be given access to his or her personal information. Exceptions may include information that would likely reveal personal information about a third party, information that cannot be disclosed for certain legal, security, or commercial proprietary reasons, and information that is subject to solicitor-client privilege.
The law gives individuals the right to
The law requires organizations to
, Canada. Breaches of PHIPA are directed to the Ontario Information and Privacy Commissioner.http://www.ipc.on.ca
The Personal Health Information Protection Act serves three important functions:
. The responding organization cannot take the matter to the Courts, because the report is not a decision and PIPEDA does not explicitly grant the responding organization the right to do so.
PIPEDA provides, at section 14, the complainant the right to apply to the Federal Court of Canada
for a hearing with respect to the subject matter of the complaint. The Court has the power to order the organization to correct its practices, to publicise the steps it will take to correct its practices and to award damages.
Canada
Canada is a North American country consisting of ten provinces and three territories. Located in the northern part of the continent, it extends from the Atlantic Ocean in the east to the Pacific Ocean in the west, and northward into the Arctic Ocean...
law relating to data privacy
Data privacy
Information privacy, or data privacy is the relationship between collection and dissemination of data, technology, the public expectation of privacy, and the legal and political issues surrounding them....
. It governs how private sector
Private sector
In economics, the private sector is that part of the economy, sometimes referred to as the citizen sector, which is run by private individuals or groups, usually as a means of enterprise for profit, and is not controlled by the state...
organizations collect, use and disclose personal information in the course of commercial business. In addition, the Act contains various provisions to facilitate the use of electronic document
Electronic document
An electronic document is any electronic media content that are intended to be used in either an electronic form or as printed output....
s. PIPEDA became law on 13 April 2000 to promote consumer trust in electronic commerce
Electronic commerce
Electronic commerce, commonly known as e-commerce, eCommerce or e-comm, refers to the buying and selling of products or services over electronic systems such as the Internet and other computer networks. However, the term may refer to more than just buying and selling products online...
. The act was also intended to reassure the European Union
European Union
The European Union is an economic and political union of 27 independent member states which are located primarily in Europe. The EU traces its origins from the European Coal and Steel Community and the European Economic Community , formed by six countries in 1958...
that the Canadian privacy law
Canadian privacy law
Canadian privacy law is encapsulated within multiple acts, and the Canadian charter of rights and freedoms. They are listed below in chronological order...
was adequate to protect the personal information of European citizens
Citizenship of the European Union
Citizenship of the European Union was introduced by the Maastricht Treaty . European citizenship is supplementary to national citizenship and affords rights such as the right to vote in European elections, the right to free movement and the right to consular protection from other EU states'...
. In accordance with section 29 of PIPEDA, Part I of the Act ("Protection of Personal Information in the Private Sector") must be reviewed by Parliament every five years. The first Parliamentary review occurred in 2007.
PIPEDA incorporates and makes mandatory provisions of the Canadian Standards Association
Canadian Standards Association
The Canadian Standards Association, also known as the CSA, is a not-for-profit Standards organization with the stated aim of developing standards for use in 57 different areas of specialisation...
's Model Code for the Protection of Personal Information, developed in 1995. However, there are a number of exceptions to the Code where information can be collected, used and disclosed without the consent of the individual. Examples include for reasons pertaining to national security or international affairs, or in the event of an emergency. Under the act, personal information can also be disclosed without knowledge or consent to investigations related to law enforcement, whether federal, provincial or foreign. There are also exceptions to the general rule that an individual shall be given access to his or her personal information. Exceptions may include information that would likely reveal personal information about a third party, information that cannot be disclosed for certain legal, security, or commercial proprietary reasons, and information that is subject to solicitor-client privilege.
Overview
"Personal Information", as specified in PIPEDA, is as follows: information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization.The law gives individuals the right to
- know why an organization collects, uses or discloses their personal information;
- expect an organization to collect, use or disclose their personal information reasonably and appropriately, and not use the information for any purpose other than that to which they have consented;
- know who in the organization is responsible for protecting their personal information;
- expect an organization to protect their personal information by taking appropriate security measures;
- expect the personal information an organization holds about them to be accurate, complete and up-to-date;
- obtain access to their personal information and ask for corrections if necessary; and
- complain about how an organization handles their personal information if they feel their privacy rights have not been respected.
The law requires organizations to
- obtain consent when they collect, use or disclose their personal information;
- supply an individual with a product or a service even if they refuse consent for the collection, use or disclosure of your personal information unless that information is essential to the transaction;
- collect information by fair and lawful means; and
- have personal information policies that are clear, understandable and readily available.
Implementation
The implementation of PIPEDA occurred in three stages. Starting in 2001, the law applied to federally regulated industries (such as airlines, banking and broadcasting). In 2002 the law was expanded to include the health sector. Finally in 2004, any organization that collects personal information in the course of commercial activity was covered by PIPEDA, except in provinces that have "substantially similar" privacy laws. Four provincial privacy laws have been declared by the federal Governor in Council to be substantially similar to PIPEDA:- An Act Respecting the Protection of Personal Information in the Private Sector (Quebec).http://www2.publicationsduquebec.gouv.qc.ca/dynamicSearch/telecharge.php?type=2&file=/P_39_1/P39_1_A.html
- The Personal Information Protection Act (British Columbia).http://www.leg.bc.ca/37th4th/3rd_read/gov38-3.htm
- The Personal Information Protection Act (Alberta).http://www.qp.gov.ab.ca/documents/Acts/P06P5.cfm?frm_isbn=0779725816
- The Personal Health Information Protection Act (Ontario).
Personal Information Protection Act (British Columbia)
Notable provisions of PIPA:- Consent must be garnered for collection of personal information
- Collection of personal information limited to reasonable purposes
- Limits use and disclosure of personal information
- Limits access to personal information
- Stored personal information must be accurate and complete
- Designates the role of the Privacy Officer
- Policies and procedures for breaches of privacy
- Measures for resolution of complaints
- Special rules for employment relationships
Personal Health Information Protection Act (Ontario)
The Personal Health Information Protection Act, known by its acronym PHIPA (typically pronounced 'pee-hip-ah'), established in 2004, outlines privacy regulations for health information custodians in OntarioOntario
Ontario is a province of Canada, located in east-central Canada. It is Canada's most populous province and second largest in total area. It is home to the nation's most populous city, Toronto, and the nation's capital, Ottawa....
, Canada. Breaches of PHIPA are directed to the Ontario Information and Privacy Commissioner.http://www.ipc.on.ca
The Personal Health Information Protection Act serves three important functions:
- To govern the collection, use and disclosure of personal health information by health information custodians".
- To provide patients with a right to request access to and correction of their records of personal health information held by health information custodians.
- To impose administrative requirements (regulations) on custodians with respect to records of personal health information.
Remedies
PIPEDA does not create an automatic right to sue for violations of the law's obligations. Instead, PIPEDA follows an ombudsman model in which complaints are taken to the Office of the Privacy Commissioner of Canada. The Commissioner is required to investigate the complaint and to produce a report at its conclusion. The report is not binding on the parties, but is more of a recommendation. The Commissioner does not have any powers to order compliance, award damages or levy penalties. The organization complained about does not have to follow the recommendations. The complainant, with the report in hand, can then take the matter to the Federal Court of CanadaFederal Court of Canada
The Federal Court of Canada was a national court of Canada that heard some types of disputes arising under the central government's legislative jurisdiction...
. The responding organization cannot take the matter to the Courts, because the report is not a decision and PIPEDA does not explicitly grant the responding organization the right to do so.
PIPEDA provides, at section 14, the complainant the right to apply to the Federal Court of Canada
Federal Court of Canada
The Federal Court of Canada was a national court of Canada that heard some types of disputes arising under the central government's legislative jurisdiction...
for a hearing with respect to the subject matter of the complaint. The Court has the power to order the organization to correct its practices, to publicise the steps it will take to correct its practices and to award damages.
External links
- Personal Information Protection and Electronic Documents Act
- Example of a PIPEDA request for video surveillance recordings.
- The Canadian Privacy Law Blog: A regularly updated blog on issues related to privacy law and PIPEDA written by David T.S. Fraser, a Canadian privacy lawyer.
See also
- Fighting Internet and Wireless Spam ActFighting Internet and Wireless Spam ActBill C-28, the Fighting Internet and Wireless Spam Act , is Canada's anti-spam legislation that received royal assent on December 15, 2010. The bill replaced Bill C-27, the Electronic Commerce Protection Act , which was passed by the House of Commons, but died due to its prorogation on December 30,...