PIPEDA Overview
What is PIPEDA?
The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian federal law regarding data privacy. It contains provisions to facilitate the use of electronic documents. PIPEDA came into affect in 2004. It governs how Canadian businesses collect, use and disclose personal information during commercial activities. The goal of PIPEDA is to balance privacy rights of individuals and the reasonable purposes an organization would need to collect, use, and disclose personal information. PIPEDA applies to all private-sector organizations that collect, use, or disclose personal information during it’s commercial activities. Exceptions to this include Quebec, Alberta, and British Columbia, whom have adopted similar privacy laws that apply to their private sector.
Who Governs PIPEDA?
PIPEDA is governed by The office of Privacy Commissioner of Canada. The OPC oversees the enforcement and compliance of PIPEDA, and assist individuals and businesses to understand and address privacy concerns.
Who Needs to Comply with the PIPEDA?
PIPEDA applies to the following:
- All private-sector organizations that collect, use, or disclose personal information during commercial activities, including businesses, non-profit organizations, and charities, with the exception of those in Quebec, Alberta, and British Columbia.
- Federally regulated organizations, such as banks, airlines, and telecommunications companies, regardless of where they are located in Canada.
- Inter-provincial providers of goods and services, such as online retailers, and transportation companies that operate in more than one province.
- Government organizations, such as federal government agencies, but only with respect to their commercial activities.
Personal Scope
PIPEDA does not explicitly refer to the nationality or place of residence of individuals. Instead, PIPEDA applies to all organizations in Canada which collect, use, or disclose personal information of natural persons in the course of commercial activities (including personal information belonging to employees).
Material Scope
PIPEDA imposes strict obligations for companies regarding the safekeeping, access, retention, and destruction of users’ personal information.
According OPC guidelines and PIPEDA, depending on the context any information could be considered sensitive. For example, the following information constitutes sensitive personal information:
- Medical records
- Income records
- Financial information
- Work performance information
- Social insurance numbers
- Live stream of young children
The collection, use, or disclosure of personal information for personal use or household purposes do not apply to PIPEDA. Correspondingly, It only applies to commercial activities.
Organizations are required under PIPEDA to obtain an individuals consent prior to collecting, using, or disclosing their personal information. Henceforth, it outlines some exceptions such as, when the information is required in an emergency or when required by law.
In addition, organizations are required to have safeguards in place to protect personal information from unauthorized access, disclosure, or retention. That includes technological, organizational and physical security measures. For example, access controls, encryption and secure storage facilities.
What are the rights of an individual?
Individuals have the right to access their personal information, including images and footage, held by an organization. They also have the right to file a complaint with the office of the privacy commissioner of Canada if they believe their privacy rights have been violated.
What if there is a data breach?
Organizations are required by law to notify affected individuals and the office of commissioners. Failure to do so may lead to disciplinary actions if the organization is found to be not compliant with PIPEDA.
Does PIPEDA only apply to Canada?
PIPEDA applies to organizations outside of Canada if they activities have a real and substantial connection to Canada. This is reviewed on a case-by-case basis.
Fair Information Principles
PIPEDA sets out 10 fair information principles
Accountability: organizations should appoint someone to be responsible for compliance.
Identifying purposes: organizations must define the purpose for collecting personal information.
Consent: organizations must inform the data subject of the collection, use, and disclosure of personal information.
Limiting collection: organizations must only collect the amount of data that is necessary.
Limiting use, disclosure, and retention: organizations must not use or disclose personal information for a purpose different from the purpose it was collected for, except under certain circumstances.
Accuracy: organizations must keep personal information accurate.
Safeguards: organizations must protect personal information against loss or theft.
Openness: privacy policy and practices must be understandable and easily available.
Individual access: data subjects have a right to access the personal information an organization holds about them.
Resource: organizations must develop accessible complaint procedures.
If an organization fails to comply with these requirements it can result in loss of consumer trust, damage to a organizations reputation and even penalties. However, individuals may even take legal action and courts could order remedies due to significant harm caused by unauthorized access to their personal information.
What are the Obligations for the Data Controller and Data Processor?
PIPEDA does not differentiate between data controllers and data processors. However, it provides similar responsibilities for processors and controllers. It is to be noted that organizations are required to appoint individuals who will be accountable to ensure the organizations data activities are compliant in accordance to PIPEDA’s provisions.
Consent Requirements
PIPEDA requires organizations to obtain the data subjects consent to use, disclose, and retain any personal information.
Consent of an individual is valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose, and consequences of the collection, use, or disclosure of the personal information to which they are consenting. Therefore, the information must be provided in manageable and easily accessible ways to data subjects and data subjects must be allowed to withdraw consent.
If there is a use or disclosure a data subject would not reasonably expect to be occurring, such as certain sharing of information with a third party or the tracking of location, express consent would likely be required.
However, the data subject’s consent may not be required for certain data processing activities such as when the collection is “clearly” in the interests of the individual and consent cannot be obtained in a timely way, data is being collected in the course of employment, journalistic, is already publicly available, information is being collected for the detection and prevention of fraud or for law enforcement, and seeking the consent of the data subject might defeat the purpose of collecting the information.
Data Security Requirements
PIPEDA legislation requires all organizations to enforce the necessary security measures to protect the personal information of data subjects against loss or theft, unauthorized access, disclosure, copying, use, or any modification.
Data Breach Notification Requirement
As of November 2018, organizations are required to notify individuals, the OPC, and other organizations such as law enforcement and payment processing organizations in the event of a data breach. Surely, the notification must take place as soon as feasible once the organization has determined the breach has occurred. To maintain compliance with PIPEDA organizations are required to maintain a record of every data breach involving personal information.
Data Protection Officer Requirement
According to the PIPEDA legislation, an organization must appoint data protection officers. They are to be the point of contact for individuals, and be responsible for monitoring compliance and PIPEDA revisions. The officers name, title and address must be explicitly available for anyone wanting into contact with the protection officer.
Record of Processing Activities
PIPEDA outlines that organizations must record the purposes of personal information collected
Cross Border Data Transfer Requirements
PIPEDA does not provide any specific restrictions for cross-border data transfers. However, all cross-border data transfers are subject to the “accountability” principle under PIPEDA.
Accordingly, the data-transferring organization is accountable for the protection of the personal information it is transferring to. The OPC’s Guidelines for Processing Personal Data Across Borders (‘the Cross-border Guidelines’) has specified that suitable means include, but are not limited to, ensuring that the third party:
- has appropriate policies and processes in place;
- has trained its staff to ensure information is appropriately safeguarded at all times;
- has adequate security measures in place.
Simultaneously, the Cross-border Guidelines also specify that organizations must provide notice to customers that their personal information may be sent to another jurisdiction for processing; while the information is in the other jurisdiction, it may be accessed by the courts, law enforcement, and national security authorities.
Data Subject Rights
PIPEDA outlines following rights to data subjects:
- Right to access
- Right to accuracy and completeness
- Right to withdraw consent and submit complaints
Penalties for PIPEDA Non-Compliance
PIPEDA imposes administrative penalties for non-compliance, where the amount may vary depending upon the severity and the kind of violation. According to PIPEDA, the following conduct may account for an offense:
- obstructing the OPC in an investigation;
- failing to report security breaches involving personal information under an organization’s control;
- failing to maintain records of security breaches involving personal information under an organization’s control;
- disciplining a whistleblower.
For offences punishable on summary conviction, fines do not exceed $10,000 and indictable offences do not exceed $100,000.
How does PIPEDA Compliance Pertain to Video Surveillance?
Footage and images captured by surveillance systems are considered personal information under Canadian privacy laws, and are protected by PIPEDA. So it is important that your surveillance system setup is PIPEDA-compliant.
How do you ensure surveillance system and access control systems are PIPEDA-compliant?
Video surveillance and access control systems in the private sector are subject to Canadian privacy laws, including PIPEDA. The Office of the Privacy Commissioner of Canada has outlined guidelines to assist organizations use of surveillance systems and access control systems to be PIPEDA compliant. They are as follows:
Inform the Public that Video Surveillance is Occurring:
For a Canadian organization to comply with PIPEDA they must communicate to individuals that they are being recorded and disclose what the footage will be use for. One way to accomplish this is by posting a sign on the premises where an individual will see it prior to entering the establishment. The sign should include contact information, so that they can ask questions or request access to their images.
Follow the ‘Reasonable Expectation of Privacy’ Rule:
Security cameras can not be placed in areas where people have a “reasonable expectation of privacy”. For example, change rooms and bathrooms. All cameras should be placed in “public” areas.
Use Permissions-Based Role Management:
Use permission based role management for access control systems and surveillance systems. User permissions enable you to control access to personal information. It is recommended to restrict access based on role, the individual or other parameters.
Choose a Surveillance System and Access Control System That Has Documented Security Practices:
Use third party security audits to scan for system vulnerabilities. Choose systems that use strong security measures such as end to end encryption. It is imperative that the information and footage is store securely.
Develop a Video Surveillance and Access Control Policy:
Organizations should implement policies that clearly outline goals for surveillance footage and personal information. It should communicate the process of handling personal data and how the organization is adhering to the ten fair information principles of PIPEDA.
Please note that footage captured by surveillance systems is considered personal information that is protected by PIPEDA, an organization can only use the footage for which the individuals have given consent. This is referring to the signage that would be visible prior to entry. For example, if the organization plans to use the surveillance footage to analyze consumer behaviour, the signage needs to indicate this, so that the individual can make an informed decision.
Compliance as the End-User’s Responsibility
PIPEDA applies to organizations that collect personal information. Altris Security Ltd does not collect, use, or distribute any personal information, and as such, PIPEDA is not applicable to Altris Security Ltd. In other words, there’s no way for a video security and access control system provider like Altris Security Ltd to be compliant or non-compliant. Due to the nature of how PIPEDA establishes ‘compliance’, it simply does not apply. The organization that is collecting video footage and credential information is responsible for maintaining PIPEDA compliance.
PIPEDA-Compliant Surveillance and access control with Altris Security Ltd
Surveillance systems and access control systems are a helpful tools that many organizations use to secure their facilities. By following best practices, it’s easy to use surveillance systems and access control systems in a PIPEDA-compliant way to increase your organization’s safety and visibility.
PIPEDA compliance can be complicated, and Altris Security Ltd often addresses questions from clients regarding video surveillance systems, security cameras, access control systems and data privacy regulations. Feel free to reach out to our team if you have any questions on how to implement these types of systems within your organization.
Altris Security Ltd works with organizations that use surveillance systems, and access control as part of their compliance strategy. We hope to assist any client considering the use of surveillance systems and/or access control systems in their organization. Follow this link to schedule a consultation.
