In Canada, the Personal Information Protection and Electronic Documents Act (or PIPEDA), governs the collection and use of personal information and how it's protected.
The PIPEDA law from Canada
The PIPEDA Act requires covered organizations and other entities (businesses) to get a user's consent when collecting, using or disclosing that user's personal information.
Whatever personal information you collect from users may only be used for the express purpose for which it was collected and nothing more.
Any additional use outside the original scope requires further consent from the user. Also, users must be assured that the information collector (the business, the website, the mobile app) will reasonably protect their information.
Any commercial activity that uses, collects, or discloses some kind of personal information is covered by the regulations of the PIPEDA Act in Canada.
Commercial activity means any particular transaction, act, conduct, or any regular course of conduct that is commercial in character, including selling, bartering or leasing of donor, membership or fundraising lists.
This would inherently include websites, mobile apps, Facebook apps, desktop apps. If all these platforms are operated in any of those capacities specified above, it's covered by the Canada's Act.
If a business isn't generating any revenue from a website or mobile app, they still might be covered. If the personal information being gathered from users is used for future website and app development or to improve the experience of users on the website or mobile app, then the website/mobile app's commercial success is indirectly benefiting.
Therefore, it's covered.
Personal information can be a nebulous term. It could be anything that someone finds to be private in nature.
PIPEDA statutorily defines "personal information" to include any factual or subjective information, recorded or not, about an identifiable individual. This includes:
- ID numbers
- ethnic origin
- blood type
- social status
- disciplinary actions
- employee files
- credit records
- loan records
- medical records
- the existence of a dispute between a consumer and a merchant
- and so on
As you can see, PIPEDA's scope of coverage is comprehensive.
Specific exceptions are excluded from coverage, such as personal information collected solely for artistic, journalistic, or literary purposes and information collected by designated governmental agencies.
The principles from PIPEDA
Canada's PIPEDA Act forms a base rule that there's an overarching obligation to maintain responsibility for the guarding of personal information and the fair handling at all times through the entire organization and in all third party dealings.
Businesses are compelled that any collection, use or disclosure of personal information must only be for a reasonable purpose.
Alongside this base rule, Schedule I of PIPEDA lays 10 Fair Information Principles that businesses must follow to remain in compliance with the Act:
Businesses must be accountable. To fulfill this principle, assign an individual from your business to be responsible for active compliance with Canada's PIPEDA Act.
A business should take extra precautions to protect the personal information it collects from users. As a business owner, you should develop a series of policies to keep the collected information protected.
Accountability goes farther than just a business owner's own actions.
Any third parties that personal information is shared with obligates the original information collector to be responsible for any mishandling from that interaction.
Shopify may use third party service providers to provide certain services to you and we may share Personal Information with such service providers. We require any company with which we may share Personal Information to protect that data in a manner consistent with this policy and to limit the use of such Personal Information to the performance of services for Shopify.
The purpose of collecting a piece of personal information must always be clear.
At the point of collecting any type of information, mention why the information is being gathered and what its purpose will be.
The more clear the purpose of the information use, the better.
Under Canada's PIPEDA, informed consent must be meaningful and clear.
Before getting consent from a user, you should explain how the information you'll collect will be used. This shouldn't be done in a deceptive manner.
According to PIPEDA, consent should be asked not only before obtaining a piece of information but also to be continually updated and asked. There are several exceptions to this, but these exceptions should rely on after every other step has been implemented.
Personal information shouldn't be collected haphazardly and users mustn't be misled on the reasons for which the information is being collected.
The scope of information that's gathered should be narrow and tailored to the exact requirements needed.
Nothing more or less.
Limit Use, Disclosure And Retention
Businesses must only use personal information only for the purpose the user agreed upon and must keep the personal information as long as necessary to achieve its purpose.
Once that information is no longer necessary for the purpose it was gathered, it must be destroyed, erased or rendered anonymous.
Information that isn't necessary and is stored all time without purpose poses a potential breach of data.
Daatacratic does not collect any personally identifiable information about you when you visit the Website unless you voluntarily provide this information, for example by contacting us through our email forms (including sending us queries or responding through the Website to our job postings.) Personal information collected in these cases may include your name, contact details, email address, telephone number and your resume.
All uses of users' information must be done accurately and appropriately. Personal information records must be kept complete, organized, and as up to date as possible.
Regularly used personal information must be regularly kept up to date.
Personal information that's collected through a website or mobile app must be protected from theft, loss, unauthorized access, disclosure, use, copying or modification regardless of how the information is stored.
The sensitive nature of the information collected, the amount of it and the extent of any breaches of safeguards are all taken into account when considering whether a business has met its duty.
The policies must be clear and easily understood by a reasonable layperson.
Individuals whose personal information has been used or given have a right to access that information.
Businesses, once requested, must inform users of all information the business has on them and provide full and accurate disclosure on how it's being used.
Finally, businesses must provide some form of complaint procedure for users.
All complaints must be investigated to some capacity and corrective action must be taken if warranted.
How to comply with PIPEDA
How should a business move forward and improve their website or mobile app, while adhering to these regulations imposed by PIPEDA?
Below are a series of questions broken into categories that should be considered before you make the decision if your website or mobile app is market ready.
Consider what information is going to be collected from users:
- Is the information you're going to collect considered personal information under Canada's PIPEDA Act?
- Will the information be used as a part of a routine business practice? e.g. email addresses to access restricted sections of your website or your mobile app
- Is there a designated place that files with this kind information will be kept, either digitally or physically? e.g. a database
- Who will have access to the collected information, both internally and externally? e.g. who can read the database
As maintaining accountability is one of the Fair Information Principles and one of the more important ones, a clear chain of command for responsibility is critical:
- Is there a designated privacy officer who can ensure compliance with PIPEDA?
- Is it more than one designated person? If yes, are the responsibilities clearly designated for each person?
- Will your staff know who answers to requests for personal information, correction, and complaints? Will that be clear to users?
- Will your staff know how to accurately understand and explain PIPEDA and how it is implemented throughout the business?
- Is the use and purpose of the collected personal information described clearly?
How the information is collected, used, disclosed and retained must be identified to all parties involved: business, users, third parties, and so on. Key questions to consider here are:
- Have you identified the purposes for which you collect the personal information?
- Are you detailing these purposes to users at the point of or before the information is going to be collected?
- Is there any documentation supporting this?
- Is there a timetable for retaining and destroying old and inaccurate personal information?
- How will old and inaccurate personal information be disposed of?
In accordance with PIPEDA, scrutinizing every detail about the regular uses and removal of users' private information will allow the business to be certain that their actions are in compliance with the formal regulation.
Another crucial Fair Information Principal is consent. Appropriately asking for consent from a user is important:
- Does your staff know that consent must be gained before or at point of collection and then again for any new use or disclosure of such information?
- Is express consent asked where possible? Particularly for extra sensitive information such as credit cards and identification numbers?
- Is the request for consent clear and understandable to the user?
Accurate record keeping of information is another important aspect that must be considered:
- Is the information being gathered sufficiently accurate and up to date, taking into account efforts to not inappropriately misuse someone's information?
- Are updates documented?
- Is this information distributed to third parties accurate, if third parties are involved?
Remember: any miscommunication about the personal information could result in breaching PIPEDA.
Implementing safeguards to protected the personal information you collect is mandatory:
- Do safeguards prevent inappropriate access, modification, collection, use, and disclosure of information?
- Are the safeguards appropriate in correspondence to the sensitivity, scale, format and method of storage of the information?
- Is there a hierarchy who knows what levels of information are being collected?
- Are there any rules prohibiting or permitting certain staff from accessing the private information once it's been gathered?
- Is staff aware of the legal time limits on responding to requests?
- Can information be retrieved for requests with minimal interruption to the daily function of the business?
- Is the information provided at minimal or no cost to the user?
- Is the information provided in a clear manner?
- Are alternatives for disabled people available, such as Braille and Audio tapes?
- Can individuals file complaints easily?
- Are complaints responded to in an expedient manner?
- Are complaints investigated to some extent? Are the complainants advised on their possible options?
- When complaints are justified, are there any appropriate corrective actions taken in response?
The other guides: for United States, for Europe or for Australia