If your business collects, uses, or discloses personal information, it is important to ensure that its activities comply with Canada’s main privacy law, the Personal Information Protection and Electronic Documents Act (also known as “PIPEDA”), and other applicable privacy statutes.

The consequences of failing to handle personal information properly can include hefty administrative penalties, costly and time-consuming litigation, or even criminal prosecution for particularly egregious violations. Regardless, failing to properly safeguard personal information can be detrimental to your business and can result in a loss of customer trust and goodwill.

Does PIPEDA Apply to Your Business?

The first step to minimizing the risk of your business violating PIPEDA is to determine whether your business is subject to the law in the first place. In general, PIPEDA applies to:

1. private enterprises;
2. that collect, use, or disclose personal information; 
3. for a commercial purpose.

“Personal information” is defined very broadly in PIPEDA as simply “information about an identifiable individual”. What is important is less so whether the information falls into a particular category (e.g. credit card numbers, first and last name, or passport number) but whether the particular information, on its own or in the aggregate, can be used to identify an individual. In other words, the definition of “personal information” is subjective and contextual.

“Commercial activity” is also defined quite broadly in PIPEDA. It captures any course of conduct that is “of a commercial character”. Importantly, it is the activity, rather than the information itself, that must be “commercial” to fall under the scope of PIPEDA. For example, organizations are generally exempt from PIPEDA if they are collecting personal information solely for “journalistic, artistic, or literary purposes”.

There are several categories of businesses that are exempted from PIPEDA. It is important to determine whether an exemption applies to your business because this might mean your business is subject to a different privacy law, or that PIPEDA only captures certain types of activities that your business carries out. Some examples of exemptions include:

• Federal government enterprises listed in the schedule to the Privacy Act (e.g. the Department of Citizenship and Immigration) are not subject to PIPEDA. Provincial and territorial governments, as well as their agents, are also exempted from PIPEDA.
• Non-for-profit groups, charity groups, political parties, and political associations are generally exempt from PIPEDA. PIPEDA does apply to these organizations with respect to commercial activities that are not central to their mandate, however.
• Commercial enterprises in provinces which have enacted substantially similar privacy legislation to PIPEDA (i.e. Alberta, British Columbia, Quebec) are exempted from PIPEDA and subject to that particular legislation. Such commercial enterprises may, however, be subject to PIPEDA with respect to inter-provincial or international commercial transactions that involve the collection, use, or disclosure of personal information.
• Hospitals, schools, and municipalities may also be subject to a different privacy act.

The PIPEDA Principles

PIPEDA requires that all organizations that fall under its ambit comply with the 10 obligations set out in its schedule 1. These are known as the “PIPEDA Principles”:

1. Accountability – Businesses are ultimately accountable for ensuring compliance with the remaining nine PIPEDA Principles (below) and must ensure that a designated senior individual (or individuals) is responsible for the day-to-day collection and processing of personal information.

2. Identifying Purposes – The purposes for which personal information is collected, used, or disclosed must be identified before the information is collected.

3. Consent – Personal information cannot be collected, used, or disclosed without knowledge of and consent to such activities by the individual, except where consent would be inappropriate (e.g. where legal reasons make it impossible or impractical to seek consent). The appropriate form of consent may vary with the circumstances, but the reasonable expectations of the individual must be taken into account and the individual should be given an opportunity to withdraw their consent at any time, subject to legal or contractual restrictions and reasonable notice.

4. Limiting Collection – The collection of personal information must be limited to that which is necessary for the identified purposes.

5. Limiting Use, Disclosure, and Retention – Personal information cannot be used or disclosed for purposes other than those identified at the time of collection, absent consent from the individual or a legal requirement. Personal information should also be retained only for as long as necessary for the fulfilment of the identified purposes.

6. Accuracy – Personal information must be as accurate, complete, and up to date as necessary for the purposes for which it is to be used.

7. Safeguards – Personal information must be protected by appropriate security safeguards.

8. Openness – Organizations must make their privacy policies and practices available to individuals.

9. Individual Access – Individuals should be able to access their personal information on request and challenge the accuracy and completeness of the information, as well as request it be amended.

10. Challenging Compliance – Individuals should be able to address a specific challenge concerning compliance with the PIPEDA Principles to the designated individual responsible for the organization’s compliance

It is important to remember that a business’ obligation to comply with the PIPEDA Principles is a legal requirement, not simply a suggestion or best practice. If your business is subject to PIPEDA, your business’ privacy policy must be informed by each of these principles to be compliant. A strong privacy policy specifically considers each of these ten principles, uses clear and informed methods of obtaining consent, and uses plain language rather than legalese.

What to Do If Your Business Experiences a Privacy Breach

Businesses should act proactively by implementing protocols to follow in the event of a personal information data breach, regardless whether the business is subject to PIPEDA.

In the event of a personal information data breach, PIPEDA mandates that organizations:

1. report to the Privacy Commissioner of Canada breaches of security safeguards involving personal information that pose a real risk of significant harm to individuals by submitting a PIPEDA breach report form;

2. notify affected individuals about those breaches; and

3. keep records of all breaches.

The organization is also required in those circumstances to take any possible steps to reduce the risk of harm or mitigate that harm.

It is an offence to knowingly contravene PIPEDA’s reporting, notification, and record-keeping requirements relating to breaches of security safeguards, and doing so can lead to fines.

The key term to keep in mind is “real risk of significant harm” (“RROSH”), as it will determine whether your business is required to report to the Privacy Commissioner and notify affected individuals. However, a record must be kept of each breach of security safeguards, whether or not they create a real risk of significant harm to individuals.

Assessing RROSH is complicated and will vary with the circumstances. The Privacy Commissioner suggests that all businesses develop a framework for assessing the RROSH to ensure that breaches are assessed consistently. This involves considering two factors: the sensitivity of the personal information implicated in the breach and the probability that the personal information has been, is being, or will be misused.

Want advice about whether PIPEDA applies to your business and your obligations thereunder? Need help drafting a privacy policy, website terms of service, or security breach assessment framework for your business? Let’s chat!