On June 18, 2015, the Digital Privacy Act received Royal Assent. The Act introduced a number of amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA), most of which are now in force.
The Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal Canadian privacy law for private-sector organizations. It sets out the ground rules for how businesses must handle personal information in the course of their commercial activity.
The law defines a commercial activity as any particular transaction, act, or conduct, or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.
There are a number of requirements to comply with the law. Organizations covered by PIPEDA must generally obtain an individual’s consent when they collect, use or disclose that individual’s personal information. People have the right to access their personal information held by an organization. They also have the right to challenge its accuracy.
Personal information can only be used for the purposes for which it was collected. If an organization is going to use it for another purpose, they must obtain consent again. Personal information must be protected by appropriate safeguards.
Related acts
Several provincial laws have been deemed substantially similar to the PIPEDA. Under paragraph 26(2)(b), the Governor in Council can exempt an organization or class of organizations, an activity or a class of activities from PIPEDA if the collection, use or disclosure of personal information occurs within a province that has legislation that has been deemed substantially similar to the PIPEDA. This means that wherever the substantially similar provincial law applies, that law applies instead of PIPEDA.
- Provincial laws that may apply instead of PIPEDA
- Canada’s anti-spam legislation
- The Digital Privacy Act and PIPEDA
Not covered by PIPEDA
There are some instances where PIPEDA does not apply. Some examples include:
- Personal information handled by federal government organizations listed under the Privacy Act
- Provincial or territorial governments and their agents
- Business contact information such as an employee’s name, title, business address, telephone number or email addresses that is collected, used or disclosed solely for the purpose of communicating with that person in relation to their employment or profession
- An individual’s collection, use or disclosure of personal information strictly for personal purposes (e.g. personal greeting card list)
- An organization’s collection, use or disclosure of personal information solely for journalistic, artistic or literary purposes
Unless they are engaging in commercial activities that are not central to their mandate and involve personal information, PIPEDA does not generally apply to:
- not-for-profit and charity groups; or
- political parties and associations.
Municipalities, universities, schools, and hospitals are generally covered by provincial laws. PIPEDA may apply in certain situations.
Complianz can help you with PIPEDA and CASL.
