19 June 2020
In Canada, the Personal Information Protection and Electronic Documents Act (or PIPEDA), governs the collection and use of personal information and how it's protected.
The PIPEDA Act requires covered organizations and other entities (businesses) to get a user's consent when collecting, using or disclosing that user's personal information.
Whatever personal information you collect from users may only be used for the express purpose for which it was collected and nothing more.
Any additional use outside the original scope requires further consent from the user. Also, users must be assured that the information collector (the business, the website, the mobile app) will reasonably protect their information.
Any commercial activity that uses, collects, or discloses some kind of personal information is covered by the regulations of the PIPEDA Act in Canada.
Commercial activity means any particular transaction, act, conduct, or any regular course of conduct that is commercial in character, including selling, bartering or leasing of donor, membership or fundraising lists.
This would inherently include websites, mobile apps, Facebook apps, desktop apps. If all these platforms are operated in any of those capacities specified above, it's covered by the Canada's Act.
If a business isn't generating any revenue from a website or mobile app, they still might be covered. If the personal information being gathered from users is used for future website and app development or to improve the experience of users on the website or mobile app, then the website/mobile app's commercial success is indirectly benefiting.
Therefore, it's covered.
Personal information can be a nebulous term. It could be anything that someone finds to be private in nature.
PIPEDA statutorily defines "personal information" to include any factual or subjective information, recorded or not, about an identifiable individual. This includes:
As you can see, PIPEDA's scope of coverage is comprehensive.
Specific exceptions are excluded from coverage, such as personal information collected solely for artistic, journalistic, or literary purposes and information collected by designated governmental agencies.
Canada's PIPEDA Act forms a base rule that there's an overarching obligation to maintain responsibility for the guarding of personal information and the fair handling at all times through the entire organization and in all third party dealings.
Businesses are compelled that any collection, use or disclosure of personal information must only be for a reasonable purpose.
Alongside this base rule, Schedule I of PIPEDA lays 10 Fair Information Principles that businesses must follow to remain in compliance with the Act:
Businesses must be accountable. To fulfill this principle, assign an individual from your business to be responsible for active compliance with Canada's PIPEDA Act.
A business should take extra precautions to protect the personal information it collects from users. As a business owner, you should develop a series of policies to keep the collected information protected.
Accountability goes farther than just a business owner's own actions.
Any third parties that personal information is shared with obligates the original information collector to be responsible for any mishandling from that interaction.
Shopify may use third party service providers to provide certain services to you and we may share Personal Information with such service providers. We require any company with which we may share Personal Information to protect that data in a manner consistent with this policy and to limit the use of such Personal Information to the performance of services for Shopify.
The purpose of collecting a piece of personal information must always be clear.
At the point of collecting any type of information, mention why the information is being gathered and what its purpose will be.
The more clear the purpose of the information use, the better.
Under Canada's PIPEDA, informed consent must be meaningful and clear.
Before getting consent from a user, you should explain how the information you'll collect will be used. This shouldn't be done in a deceptive manner.
According to PIPEDA, consent should be asked not only before obtaining a piece of information but also to be continually updated and asked. There are several exceptions to this, but these exceptions should rely on after every other step has been implemented.
Personal information shouldn't be collected haphazardly and users mustn't be misled on the reasons for which the information is being collected.
The scope of information that's gathered should be narrow and tailored to the exact requirements needed.
Nothing more or less.
Limit Use, Disclosure And Retention
Businesses must only use personal information only for the purpose the user agreed upon and must keep the personal information as long as necessary to achieve its purpose.
Once that information is no longer necessary for the purpose it was gathered, it must be destroyed, erased or rendered anonymous.
Information that isn't necessary and is stored all time without purpose poses a potential breach of data.
Daatacratic does not collect any personally identifiable information about you when you visit the Website unless you voluntarily provide this information, for example by contacting us through our email forms (including sending us queries or responding through the Website to our job postings.) Personal information collected in these cases may include your name, contact details, email address, telephone number and your resume.
All uses of users' information must be done accurately and appropriately. Personal information records must be kept complete, organized, and as up to date as possible.
Regularly used personal information must be regularly kept up to date.
Personal information that's collected through a website or mobile app must be protected from theft, loss, unauthorized access, disclosure, use, copying or modification regardless of how the information is stored.
The sensitive nature of the information collected, the amount of it and the extent of any breaches of safeguards are all taken into account when considering whether a business has met its duty.
The policies must be clear and easily understood by a reasonable layperson.
Individuals whose personal information has been used or given have a right to access that information.
Businesses, once requested, must inform users of all information the business has on them and provide full and accurate disclosure on how it's being used.
Finally, businesses must provide some form of complaint procedure for users.
All complaints must be investigated to some capacity and corrective action must be taken if warranted.
How should a business move forward and improve their website or mobile app, while adhering to these regulations imposed by PIPEDA?
Below are a series of questions broken into categories that should be considered before you make the decision if your website or mobile app is market ready.
Consider what information is going to be collected from users:
As maintaining accountability is one of the Fair Information Principles and one of the more important ones, a clear chain of command for responsibility is critical:
How the information is collected, used, disclosed and retained must be identified to all parties involved: business, users, third parties, and so on. Key questions to consider here are:
In accordance with PIPEDA, scrutinizing every detail about the regular uses and removal of users' private information will allow the business to be certain that their actions are in compliance with the formal regulation.
Another crucial Fair Information Principal is consent. Appropriately asking for consent from a user is important:
Accurate record keeping of information is another important aspect that must be considered:
Remember: any miscommunication about the personal information could result in breaching PIPEDA.
Implementing safeguards to protected the personal information you collect is mandatory:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.