PIPEDA - Personal Information Protection and Electronic Documents Act

What Is PIPEDA?

With Royal Assent granted on April 13, 2000, the Personal Information Protection and Electronic Documents Act (PIPEDA) of Canada went into effect on January 1, 2001. On January 1, 2004, the statute went into full effect.

With the help of Canadian PIPEDA, companies can contest in the digital age on a global scale while protecting customer privacy. Every five years, the law needs to be revisited to make sure it's still serving its intended purpose, which includes preserving individuals' private data.

All information, whether factual or idiosyncratic, that can be utilized to classify an individual is considered private info.

‍

Who Is Covered By PIPEDA?

It appeals to any company in Canada that significantly obtains PI for marketable resolutions.

The Privacy Commissioner of Canada provides a handy tool for entities to utilize in determining who to report a privacy concern to. In addition, a privacy law fact sheet is included for business use.

Who is not covered by PIPEDA?

The information officer of Canada states it may not apply to provincially-regulated businesses and events that have matching privacy laws. Quebec, B.C., AB, and to a lesser extent Ontario, New Brunswick, Nova Scotia, and NL have identical rules.

PIPA, in Alberta and B.C., is analogous to PIPEDA.

The Act relates to interprovincial and global dealings by entities that cross boundaries and federally controlled entities like investment, broadcastings, and logistics firms. Even in regions with identical lawmaking, the Act applies to PI collected, utilized, or released by federally controlled entities, including FWUBs:

• Banks
• Broadcasters
• Inter-provincial trucking
• Airports/airlines
• Water transport
• Internet, cable, and phone companies
• Cross-border railroads, seaways, tubes, ferryboats, etc.

10 Privacy Principles Of PIPEDA

The ten directions laid out in Schedule 1 of the Act and recognized as the fair data rules:

1. Responsibility

An institution is answerable for private info under its authority. It must elect a person or persons liable for the entity’s adherence, including sensitive information transmitted to a third-party merchant for dispensation.

2. Identifying Objectives

Prior to or at the time of assortment, the association must categorize the resolutions for which PI is collected.

3. Consent

The grouping, use, or revelation of an individual's PI entails the person's data and accord, except when unsuitable.

4. Restraining Accumulation

Only the PI that is needed for the entities’ stated goals should be assembled. Material shall be accumulated only through ethical and legal procedures.

5. Restricting Access, Sharing, and Preserving

PI should not be used or shared for reasons other than what it was collected for, unless the person gives permission or the law says so. Information on an individual will be kept for no longer than is required for the achievement of those goals.

6. Accuracy

PI must be as correct, complete, and up-to-date as needed for the reasons for which it will be used.

7. Safeguards

Confidential data must be guarded using measures commensurate with the severity of the data's exposure.

8. Transparency

A company must make certain details about how it handles people's private data easily accessible to them.

9. Individual Access

Upon request, an individual shall be notified of the existence, usage, and revelation of his or her PI and shall be granted access to such data. An individual can dispute the data's accuracy and completeness.

10. Contesting Compliance

A person must be able to submit a challenge regarding the organization's adherence to the aforementioned principles to the designated people or individuals liable for conformity.

‍

How Does PIPEDA Protect Confidential Information?

There are three types of protections set forth by PIPEDA to guarantee the safety of delicate private information.

• Physical

An organization's physical measures should prohibit unauthorized personnel from accessing secret data. There may be surveillance cameras, locked offices, and IT operations conducted in an internal or external data center.

• Organizational

These protections pertain to the rules and procedures that an organization has in place to keep confidential data secure. Educating employees to foster a company culture that emphasizes privacy is a regular element of organizational protections. Any internal actors who get unlawful access to sensitive material must be probed.

• Technical

There are many specialized steps that an institution can take to keep its files safe. Important precautions include encrypting data, controlling and logging user activities, and creating strong firewalls to prevent unauthorized access to networks and systems containing delicate data.

‍

What Are Private Details Under PIPEDA?

The info that can be used to classify an individual has been deemed PI under PIPEDA. Identification data includes things like:

• Name
• Age
• Age
• Income
• Race/Nationality
• ethnicity
• Blood type
• Blood type
• Medications
• Education history
• Career DNA
• SSN
• DL
• Opinions
• Assessments
• Comments
• Discipline
• Staff files
• Record of loans
• Health data
• Consumer-merchant dispute
• Motivations

What is not personal information under PIPEDA?

Examples of non-personal information include:

• Knowledge about a person that is too distant or feeble (for example, a postal code on its own which covers a wide area with many homes).
• Business information.
• Anonymous data that cannot be linked to a person.
• Public servant names, positions, and titles.
• A person's business contact information that an entity gathers, uses, or publishes to communicate with that individual about their profession, trade, or profession.
• National records; People occasionally request govt info; this isn't private.
• Confidential material held by Privacy Act-covered nationwide agencies.

‍

PIPEDA vs. HIPAA vs. GDPR

Laws have been passed in Canada, the United States, and the European Union (EU) to allay habitants' fears about revealing and leaking their private details. Although these regulations share a common goal—the protection of individuals' most susceptible data—they differ widely in the particular safeguards they offer and the methods they use to enforce those safeguards.

1. Similarities

All three privacy regulations guard the delicate PI.

• PIPEDA safeguards a vast range of confidential details, containing medical info, financial data, and direct identifiers.
• HIPAA concerns keeping an individual's health records secret(PHI).
• GDPR fortifies info that can be used to unswervingly or meanderingly identify a live individual. This category includes obvious pieces of info such as a person's name, address, IP address, and cookie data. Unlike PIPEDA and HIPAA, GDPR protects delicate records such as a person's race and religious affiliation.

Employers must take precautions to protect privately recognizable info under all three confidentialities.

• The PIPEDA urges enterprises to apply specialized, materialistic, and organizational precautions.
• The HIPAA regulations stipulate related administrative, technological, and material securities to shield PHI.
• The General Data Protection Regulation (GDPR) mandates the use of suitable organizational securities for all private records. One of the precautions focuses on preventing unauthorized users from gaining physical access.

2. Differences

All three of these privacy requirements are not the same. Violating one set of rules can result in a range of various fines.

• PIPEDA: Fines of up to $100,000 per violation
• HIPAA: Penalties for violations range from $0 to $1,500,000 per year, with the latter amount reserved for the most egregious cases.
• GDPR: Fines for infractions can reach €20 million or 4% of a company's yearly global revenues, whichever is bigger.

The rights of each given person are conditional on the specific rules that are in effect at any given time.

• Under PIPEDA, customers have the option to review and update their PI.
• HIPAA: Patients can review PHI accumulated and reserved by an organization.
• GDPR: People can look at their information and ask for it to be taken out of an institution's directories.

‍

What Are PIPEDA's Data Breach Notification Requirements?

Whenever a PIPEDA-covered business discovers a privacy theft or data leak containing PI that poses a "high risk of damage to individuals," they have until November 1, 2018, to alert the OPC and the impacted individuals. Harm is defined by the OPC as "bodily hurt, humiliation, damage to status or dealings, loss of work, commercial or professional prospects, fiscal loss, individuality theft, bad impacts on the credit record, and mutilation to or impairment of property."

The Canadian Privacy Commissioner recommends that corporations think about the vulnerability of the data they collect and how it might be utilized after a breach. If the breach was the consequence of a cyber-attack and whether or not the data was encrypted or anonymized are also important factors to examine.

The Digital Privacy Act of the country, which includes these new rules, was passed in 2015.

Corporations are mandated to preserve records for two years on all data cracks of security protections, regardless of whether or not the defilements were notified to the Privacy Commissioner of Canada.

As per PIPEDA, a safety breach is "the damage of, illegal access to, or unlawful revelation of PI that results from a breach of an entity’s privacy protections that are referred to in clause 4.7 of Schedule 1 of PIPEDA, or from a fiasco to launch those precautions."

‍

How To Achieve PIPEDA Compliance?

Corporations must put measures in place to guard individuals' PI in order to remain in agreement with PIPEDA. Two primary approaches exist for entities to meet PIPEDA requirements.

1. Using In-House Means

• When organizations use their own resources to create a submissive infrastructure, they have more say over the safety of their patrons' PI.
• Investing in brand-new hardware for a brand-new setting might be a costly endeavor.
• When it comes to implementing and maintaining a PIPEDA-compliant situation, smaller businesses may lack the resources and manpower.

2. Involving a third-party cloud provider

• Since cloud hosting supplies the necessary computing infrastructure, initial investment is minimized.
• Expertise from a respected source lessens the likelihood of data breaches or violations of the PIPEDA-required privacy measures.
• Cloud computing makes it easy for entities to swiftly increase or decrease their capacity in response to seasonal or cyclical shifts in client demand.

‍

Penalties For Non-Compliance

There are two categories of sanctions that can be imposed for disobedience.

• Financial penalties: Under the 2018 PIPEDA reforms, fines for knowingly breaking cybersecurity may be applied. Each infraction may result in a monetary penalty of up to CAD$100,000.
• Bad publicity: Affects businesses that do not have proper safeguards. As a result, the company's customers may lose faith in them and their ability to achieve their goals.

PIPEDA Compliance Checklist 

This checklist will help you guarantee that your corporate is PIPEDA compliant.

1. Know if you need to comply with PIPEDA. One would expect this to be the case if they were dealing with PI for commercial purposes in Canada.
2. Gain an understanding of the basics of PIPEDA compliance.
3. Appoint a PIPEDA compliance officer to certify your corporate is in line with the law.
4. Provide well-defined organizational guidelines to meet PIPEDA standards.
5. Create a Privacy Policy to inform customers of your practices.
6. Keep track of what personally identifiable information you acquire, when you collect it, from whom you collect it, what you want to do with it, and how you intend to dispose of it.
7. Explain to them how their data will be used and how they can update or remove inaccurate info.

How Can Wallarm Prevent Data Breaches and Hacks?

For APIs, web apps, architectural approaches to software, and cloud computing execution models deployed in cloud-native settings, Wallarm's API Security solutions offer comprehensive protection. Hundreds of DevOps teams use Wallarm because it provides full transparency into an organization's web apps and API endpoints, traffic flows and sensitive data usage, protects an organization's entire API depository from new threats, and allows for a computerized incident comeback, all of which contribute to more effective risk management. Our fully cloud-native technology can be deployed in various cloud and Kubernetes-based settings.