"PIPEDA" Is an acronym for the "Personal Information Protection and Electronic Documents Act". It is a federal law of Canada. The following are notes on the law and a summary of its key points. The summary begins under the "PIPEDA Main Sections" section. However, the most easily understood and most relevant to this project is the last part, namely, "Schedule 1". Schedule 1 addresses concretely the requirements for organizations that collect, use, and disclose privacy information. The notes for Schedule 1 appear last.
WARNING: I am not a lawyer. The PIPEDA is a law of Canada, and is written in legalese. These notes are my interpretation of the legal requirements of the act.
Before summarizing PIPEDA itself, this section outlines our responsibility with regard to personal information (PI), and is derived from "Schedule 1, Principles of Protection of Personal Information"
Some of our projects involve the collection of user preferences. Now, it is debatable whether these preferences constitute PI that is subject to privacy. I am going to ignore that debate in what follows. If user preferences are considered private PI, then there are obligations on our organization. On the other hand, if the preferences are anonymous and privacy is not an issue, then well and good. Still, in either case, we need to develop and publish a policy regarding privacy, even if this policy is a statement to the effect that we do not deem private the preferences information we collect.
Responsibility is tied to an organization. Thus, there is an issue of who is the organization – it may be the IDRC. However, since the IDRC is part of OCAD University, the responsibilities may reside with the university. Logically, since the university collects, uses, and discloses PI, e.g., student grades, it is subject to PIPEDA, and must already have policies in place that satisfy PIPEDA. Whether it does is unknown at this time. The responsibilities that OCAD University (might) already discharge likely applies across all faculties and departments within the university and thus includes the IDRC. In any case, there needs to be a designated organization that is responsible for satisfying the constraints imposed by PIPEDA. The following is a brief outline of those constraints; more details can be found in the PIPEDA Schedule 1 notes below.
The responsibilities of an organization that collects personal information include:
- Defining a policy with respect to the collection, use, and disclosure of PI. This policy must be explicit and public – the organization is required to inform individuals what it is doing with their information. This can be both a general public web page stating the policy, or can occur in situ when individuals are interacting with the application that is collecting PI, or both.
- Define a policy for handling inquiries from individuals about their PI. This also needs to be explicit and open -- the organization is required to inform individuals how they can make inquiries and complaints about the PI they have entrusted to the organization.
- Designate an individual within the organization who:
- Ensures that the policies are published.
- Ensures that the policies are followed internally.
- Ensures that the policies are updated or modified as required.
- Is the contact person for inquiries and who handles the inquiries.
PIPEDA Main Sections
- Protection of Personal Information (Division 1)
- Division 2, Remedies
- Division 3, Audits
- Division 4, General
- Schedule 1: Principles of protection of personal information
The full text of the act is available on the Government of Canada web site.
- Defines rules for institutions and organizations that gather information about individuals and store that information in a digital or non-digital format.
- The rules govern how institution may disseminate personal information while protecting the privacy of the individual.
- The rules are conservative in the sense that it is better to protect an individual's privacy than not. In general, "respect personal privacy and be very cautious about giving personal information to third parties.
- applies to institutions or organizations (Org) that collect, use, or disclose personal information (PI).
- applies to employees of or applicants to the Org.
- does not apply to government institutions to which the Privacy Act applies.
Aside: Privacy Act, in brief
applies to Government agencies, and is more restrictive than PIPEDA.
Government agencies allowed to collect PI only as necessary for that agency to function.
Must inform individual why it needs that information.
PI retained in order to allow individual to find out what information is retained.
Government Agency must insure PI is accurate.
Can dispose of PI subject to disposal regulations.
Cannot use PI except for internal use, and for the purposes for which it was gathered.
Disclose PI if subpoenaed, or legal proceedings by Attorney General of Canada, or via agreement with other government agency or foreign government.
If PI disclosed, agency must keep track of what was disclosed, how, and to whom.
Concepts of Personal Information Bank and Personal Information Index of the Bank
- Government of Canada's web site for the Privacy Act.
Protection of Personal Information (Division 1)
There are numerous terms defined in "Part 1 Interpretation, section 2" of the act. The following highlights some of them. For the full set, see the relevant part of the act.
- Term: "personal information"
- "information about an identifiable individual" (PIPEDA, Part 1, Interpretation, Definitions).
- Comment: this is why it is debatable whether user preferences should be kept private: is there a way to identify an individual based on their preferences? Is there a link from those preferences to an individual – yes there is – that can be used to identify them?
- Term: "personal health information"
- information about physical and mental health of an individual
- information about health services used by an individual
- information about bodily donations (e.g., blood) by the individual
- information collected about the individual during the course of treatment
- Term: "should"
- a recommendation, not an obligation.
- Term: "shall"
- an obligation; equivalent to "must" in RFC-2119
- Terms: "knowledge" and "consent"
- Knowledge: the individual is aware or made aware of X.
- Consent: the individual agrees to X.
- Terms: "implicit" vs. "explicit"
- Applied to "knowledge" and "consent" – the type of knowledge or consent.
- Consent does not imply knowledge, since in some cases, consent is implied by the context.
- An individual's explicit consent is valid only if it is reasonable to expect that the person is capable of giving consent.
- an example where explicit consent is not valid is when the individual is underage.
- Terms: "collect" vs. "use" vs. "disclose"
- Collect: gather PI about an individual, with or without knowledge or consent
- Use: use PI internally for the purposes defined by an Org with or without knowledge or consent
- Disclose: Share PI with a third party, with or without knowledge or consent.
- The terms "knowledge" and "consent" are orthogonal to the terms "collect", "use", and "disclose"
- Can mix and match. For example:
- Collect with knowledge of the individual, but not with their consent.
- Collect with knowledge and consent; use with knowledge but without consent.
- Collect and use with knowledge and consent, but disclose with neither.
- the act provides rules for different combinations.
There are rules for when an Org can collect PI without knowledge nor consent:
- (a) if collection is clearly in the interest of the individual, but consent cannot be obtained in a timely manner
- (b) if seeking consent would compromise the accuracy of the PI
- when PI is contained within a witness statement for the purpose of an insurance claim
- when collection is solely for journalistic, artistic, or literary purposes
- when the PI is publicly available
- (e) in some cases when the purpose of the collection is disclosure – see disclosure rules (f) and (g) under "Disclosure"
There are rules for when an Org can use PI without knowledge or consent:
- if it is reasonable to believe that use is useful to an investigation of a contravention of the laws of Canada
- if the PI is useful in an emergency where an individual is at risk: life, safety, health, or security
- if PI is contained in a witness statement and the use is necessary for an insurance claim
- if PI produced by individual as part of their job, business, or profession
- if PI is used for statistics or scholarly study, where:
- study cannot be successful without using the PI, AND confidentiality is ensured, OR
- it is impractical to obtain consent and the Org informs the Privacy Commissioner of the use beforehand
- if the PI is publicly available and regulations state that it can be used
- if the PI was collected as per (a), (b), or (e).
There are rules for when org can disclose PI without knowledge or consent:
- to the Org''s lawyer (technically: an advocate/notary of Province of Quebec, or barrister/solicitor in other provinces)
- for purposes of collecting a debt owed by individual to Org
- when required by subpoena or warrant
- to a government institution when it relates to:
- (f) national security of Canada,
- enforcing a law (Canada, provincial, or foreign jurisdiction),
- investigation relating to that law,
- gathering intelligence relating to that law,
- to communicate with next of kin or authorized representative of injury, illness, or death of the individual
- to the government institution mentioned in section 7 of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act as required by that section
- when initiated by the Org to a government institution, when the Org:
- has grounds to believe the PI relates to breaking a law of Canada, province, or foreign jurisdiction,
- (g) or suspects the PI relates to national security, defense, or the conduct of international affairs of Canada
- by the Org to another Org regarding a breach of law, and disclosure with knowledge or consent would compromise the investigation
- by the Org to another Org regarding fraud, and disclosure with knowledge or consent would compromise prevention, detection, or suppression of the fraud
- by the Org to the government because:
- there are grounds that the individual is a victim of financial abuse,
- and disclosure is for the sole purpose of preventing or investigating said abuse,
- and knowledge and consent of the individual would compromise prevention or investigation of the abuse.
- by the Org to the government or next of kin/authorized-representative with respect to injury, illness, or death of the individual.
- (h) BUT, if the individual is alive, Org shall inform the individual of the disclosure in writing ASAP.
- to a person who needs the PI because of an emergency that threatens the individual.
- of PI relating to an insurance claim.
- of PI produced by the individual in the normal course of their job.
- for statistics/scholarly research and it is impractical to obtain consent, BUT the Privacy Commissioner is notified of the disclosure.
- to an institution that acts as a record keeper of historic or archival importance.
- made 100 years after collecting the PI, or 20 years after the death of the individual, whichever is earlier:
- for PI that is public,
- for disclosure the is required by law.
Division 2, Remedies
Filing of Complaints
- an individual may file a complaint in writing with the Privacy Commissioner against an Org if they feel the Org is not following Schedule 1.
- the Privacy Commissioner may initiate a complaint against an Org if there are reasonable grounds.
- if an individual makes an access request (principle 4.9 of Schedule 1), and the Org refuses the request, the individual can file a complaint. The complaint shall be filed within six months of the refusal, or any longer period that the Commissioner allows.
- the Commissioner shall notify the Org of the complaint.
Investigations of Complaints
- the Commissioner shall investigate the complaint unless,
- the Commissioner believes the complainant should exhaust other means available to them
- the Commissioner believes there is another federal or provincial law that applies
- the complaint was not filed in reasonable amount of time
- There are a number of laws, e.g., the Competition Act, that may prohibit an investigation
- if the Commissioner does not investigate, they will notify both the complainant and the Org of their decision and explain why the investigation is not going forward
- the Commissioner may reconsider a decision not to investigate if the complainant can satisfy the Commissioner that the investigation is warranted
- the Commissioner has certain powers in carrying out an investigation:
- issue summons
- administer oaths
- receive and accept evidence
- enter premises of the Org at any reasonable time, except a dwelling-house
- converse in private with any person in those premises
- examine and obtain copies of records found on the premises
- the Commissioner may resolve the complaint using mediation or conciliation
- the Commissioner may delegate others but only with respect to some of the Commissioner powers, and will provide a certificate to the delegate
- the Commissioner shall return any records or documents produced by a person or Org as a result of the investigation within 10 days of a request for said return. However, the Commissioner can request these records or documents be returned if the Commissioner requires further use of them.
Discontinuance of Investigation
- the Commissioner may discontinue the investigation if:
- there is insufficient evidence
- "the complaint is trivial, frivolous or vexatious or is made in bad faith"
- the Org has made a reasonable response
- etc. (meaning: numerous cases with wording that references other subsections/paragraphs along the lines of, "circumstances mentioned in paragraph 12(1)(a), (b) or (c)"
- within one year of the investigation, the Commissioner will issue a report:
- findings and recommendations
- any settlement that was reached by the parties
- requests by the Commissioner to the Org of any action taken by the Org in response to the report's findings and recommendations
- any recourse available via a hearing by a Court.
- the report shall be sent to the complainant and the Org.
Hearing by Court
- after receiving the Commissioner's report, or if notified that the Commissioner discontinued the investigation, the complainant can pursue the matter in Court
- certain aspects of Schedule 1, "Principles of Protection of Personal Information", are also relevant to a complainant's application to the Court, specifically 4.1.3, 4.2, 4.3.3, 4.4, 4.6, 4.7 or 4.8.
- complainant shall make an application to the Court within one year after the Commissioner's report or notification of discontinued investigation
- the Commissioner may apply to the Court if the Commissioner has the consent of the complainant
- the Commissioner may appear on behalf of the complainant
- the Commissioner may appear as a party to any hearing pursued by the complainant
- the Court may, in addition to any other remedies it might give, order an Org
- to correct its practices,
- to publish a notice of any proposed action or action taken to correct its practices,
- award damages to the complainant
- Compliance agreements are means by which the Commissioner can try to achieve compliance by an Org without going to Court or suspending an already existent Court proceedings.
- triggered if the Commissioner believes the Org is not in compliance or will not be in compliance, and the Commissioner believes that a compliance agreement can be reached.
- Compliance agreement may contain any terms that the Commissioner deems necessary to ensure compliance.
- When a compliance agreement is entered into, the Commissioner
- will not apply for a hearing by a Court and/or
- will suspend any pending applications to the Court
- However, a compliance agreement does not preclude:
- an individual (complainant?) from applying for a hearing by the Court
- "the prosecution of an offence under the Act."
- if the Commissioner decides that a compliance agreement has been complied with, the Commissioner notifies the Org in writing
- if the Commissioner is of the opinion that an organization is not complying with the agreement:
- the Commissioner shall notify the organization
- the Commissioner may apply for a hearing by the Court, or apply to reinstate proceedings that were suspended due to the compliance agreement.
Division 3, Audits
Audits are for ensuring compliance.
- The Commissioner may give notice to an Org, and audit their PI management practices:
- summon and force the appearance of persons and force them to give oral or written evidence under oath, including records
- accept any evidence or information, whether under oath, by affidavit, or otherwise, whether or not it would be admissible by law
- enter the Org's premises
- converse in private with any person on the Org's premises
- examine and obtain copies of records found on the Org's premises
- The Commissioner may delegate any of these powers, providing the delegate(s) with a certification
- The Commissioner shall return any records to the Org with ten days of the Org requesting their return
- The Commissioner or delegate may re-acquire any returned records
- The Commissioner shall provide a written report that contains the findings of the audit to the Org
- The Org may include the audit in their annual report
Division 4, General
- Confidentiality: As a baseline, the Commissioner or delegates shall not disclose any information discovered in the course of performing their duties. However:
- Public Interest: The Commissioner or delegates may disclose any information if they consider it in the public interest
- Disclosure of necessary information:
- if required to conduct an investigation
- for establishing grounds for findings and recommendations
- Disclosure in the course of proceedings:
- a prosecution for an offence
- a hearing before a Court
- an appeal from a decision of the Court
- a judicial review of the performance of the Commissioner
- Various other restrictions, or lack thereof, regarding disclosure with respect to other acts
- Protection of the Commissioner: no criminal nor civil proceedings shall be taken against the Commissioner or delegates for anything they have done in good faith
- Defamation: any audit, report, or other information supplied by the Commissioner in good faith is not subject to a claim of defamation
- Provincial: The Commissioner may consult, make arrangements or agreements, and share information with his analog at the provincial level
- Foreign States: in certain cases, the Commissioner may consult, make arrangements or agreements, and share information with his analog in another country
- Promotion: The Commissioner shall develop information programs to foster public understanding of privacy and the protection of PI
- Annual Report: The Commissioner shall, with the provinces help, submit to Parliament a report regarding the extent to which provinces have enacted legislation similar to PIPEDA. The report is due each financial year.
- Any person who believes that another person has contravened Division 1, may notify the Commissioner and request that their identity be kept confidential
- No employer shall dismiss, suspend, demote, discipline, harass or otherwise disadvantage an employee that has notified the Commissioner as above
- "employee" includes independent contractors
- Offence: Any person who knowingly contravenes or obstructs the Commissioner or delegates with respect to a complaint or audit is guilty of:
- a summary conviction and liable to a fine not exceeding $10,000, or
- an indictable offence and liable to a fine not exceeding $100,000.
Schedule 1, Principles of Protection of Personal information
The principles are all numbered 4.x. A list of the principles follows immediately; thereafter are notes on each principle. These have implications for the IDRC in terms of the IDRC being an organization that collects, uses, and discloses an individual's private information.
- 4.1 Accountability
- 4.2 Identifying the Purpose of Collection
- 4.3 Consent
- 4.4 Limiting Collection
- 4.5 Limiting Use, Disclosure, and Retention
- 4.6 Accuracy
- 4.7 Safeguards
- 4.8 Openness
- 4.9 Individual Access
- 4.10 Challenging Compliance
Principle 4.1, Accountability
- Org. shall designate an individual or individuals responsible for any PI that is collected
- Compliance with PIPEDA rests with the aforesaid individuals
- Identity of individuals will be made known upon request
- Org is responsible for PI in its custody, including when it has been transferred to a third party
- Org uses contractual means or equivalent with third party to provide same level of protection of PI as the Org itself provides
- Org shall implement policies and practices – "procedures" – to protect PI, realizing these principles (the Schedule 1 principles):
- procedures that protect
- procedures that receive and respond to complaints and inquiries
- train and communicate to staff about these procedures
- develop information or documentation that explains the Org's policies and practices
Principle 4.2, Identifying the Purpose of Collection
- Document the purpose(s) for which the PI is collected.
- comply with Principle 4.8, Openness
- Identify and document the purposes for which the PI is collected
- When? At or before the time of collection
- Side effect: makes explicit to Org itself exactly why they are collecting the PI
- Relates to principle 4.4, Limiting Collection -- collect only what is needed, and no more.
- The idea is that if the Org has a document stating the purpose(s) for which PI is collected, that determines what and how much PI is needed.
- Specify to individuals the purpose of collection at or before the time of collection.
- orally or in writing. E.g., on an application form.
- "We need your email address because ... and it will be used for (1), (2), and (3)"
- If a new purpose arises after the PI is collected, the Org shall:
- identify and document the new purpose,
- seek and receive the consent of the individual prior to using their PI in the new manner.
- Exception: if the new purpose is required by law, no consent is needed.
- See also Principle 4.3, Consent.
- Consider also principles 4.4, Limiting Collection and 4.5 Limiting Use, Disclosure, and Retention.
Principle 4.3, Consent
Knowledge and consent are required for collection, use, or disclosure of PI.
- That said, there are circumstances where PI is collected, used, or disclosed without knowledge or consent:
legal, medical, or security reasons.
legal: collection for:
medical: when the individual is:
is a minor,
when a third party has no direct contact with the individual:
For example, a charity wishes to acquire a mailing list from Org. The charity cannot be expected to contact the individual to get their consent, since they have not received any contact information as yet – that's what the charity is seeking to acquire form the Org. However, the Org, who does have the individual's contact information is expected to obtain consent from the individual before disclosing the individual's PI.
- Seek consent for use or disclosure at the time of collection.
If another purpose comes up that was not identified at the time of collection, then Org shall seek consent for that purpose.
Orgs are required to make a reasonable effort to acquire consent:
- The form of consent depends on the sensitivity of the information:
sensitive PI require explicit consent from the individual; implied consent is okay for less sensitive information.
sensitive example: medical records or income
less sensitive example: names and addresses of subscribers to a news magazine
Reasonable expectations on the part of the individual are relevant with regard to acquiring consent:
reasonable: for example, the primary purpose of name and address for a magazine subscription is mailing and billing. But it is reasonable to solicit subscription renewal using that PI. It's a reasonable use of the PI without express consent.
unreasonable: health-care professional giving name and address of individual to a company selling health-care products.
consent cannot be gained via deception.
Consent can be given in a number of ways:
orally when information is collected over the phone
when the product or service is used ("By using this product, you consent to ... ")
Principle 4.4, Limiting Collection
- Limit to that which is needed for the purpose(s) identified by the organization.
- Do not collect PI indiscriminately; only enough for the stated purpose(s) – see Principle 4.2, Identifying Purpose.
- also limit collection in accordance with Principle 4.8, Openness
- Collection of PI is limited to fair and lawful means:
- illegal to collect by misleading or deceiving the individual, especially in terms of the purpose for which the PI is collected.
Principle 4.5, Limiting Use, Disclosure, and Retention
Use and disclosure is limited to the purposes for which PI was collected.
Retention is limited to length of time necessary to fulfill the purpose(s).
Using PI for a new purpose must be documented (see 4.2 Identifying Purpose)
Orgs should develop guidelines and implement procedures with respect to retention:
include minimum and maximum retention periods,
if PI is used, it should be retained long enough such that the individual can request a report on how their PI was used,
retention period may be determined by another law,
PI that is no longer needed for the identified purpose should be destroyed, erased, or made anonymous,
See also 4.3 Consent, 4.2 Identifying, and 4.9 Individual Access.
Principle 4.6, Accuracy
- PI must be accurate, complete, and up-to-date with respect to the identified purpose(s).
- The degree of accuracy, completeness, and up-to-date depends on the use:
- do not collect more information than needed for the identified purpose(s).
- Orgs must not update PI unless necessary for the identified purpose(s).
- PI used on an ongoing basis, including that disclosed to third parties, should be accurate and up-to-date unless there are clear guidelines for limiting the accuracy.
Principle 4.7, Safeguards
- PI must be protected to a degree appropriate to the sensitivity on the PI.
- Protect against loss, theft, unauthorized access, unauthorized disclosure, unauthorized copying, unauthorized use, and unauthorized modification.
- regardless of the format in which the PI is held.
- the more sensitive the PI, the higher the level of protection.
- Sensitivity discussed in Consent principle, 4.3
- Methods of protection:
- physical, e.g., locking file cabinets and restricted access to offices,
- different levels of security clearances for different employees of the Org,
- use of passwords and encryption.
- Orgs are responsible for making their employees aware of maintaining confidentiality of the PI they hold.
- Care must be taken when disposing or destroying PI to prevent unauthorized parties from gaining access.
- See also principle Limitiing Use, Disclosure, and Retention, 4.5.
Principle 4.8, Openness
- Orgs must make their policies and practices regarding PI available to individuals.
- Orgs must be open about policies and practices in a form that is understandable.
- Information made available includes:
- name, title, and address of the person accountable for the Org's policies and practices, to whom inquiries and complaints can be made,
- the means by which an individual can gain access to their PI,
- descriptions of the type of PI held by the org, and a general account of its use,
- a copy of brochures or other info that explains the org's policies, standards, and codes,
- what PI is made available to related orgs (e.g., subsidiaries).
Principle 4.9, Individual Access
- Individuals can request the existence, use, and disclosure of their PI and have access to that PI:
- can challenge the accuracy and completeness of the PI,
- can have the PI amended,
- BUT, Org can limit access:
- if access to prohibitively costly,
- if PI contains references to other individuals,
- if there exist legal, security, or commercial proprietary reasons prohibiting disclosure,
- if PI is subject to solicitor-client or litigation privilege.
- Upon request, org must acknowledge whether they hold PI,
- Orgs are encouraged to indicate the source of the PI,
- Orgs must allow access to the PI; however, sensitive information may be released by another person. Example: medical records may be released to the individual's health-care provider who will then pass the PI on to the individual,
- Orgs must provide an account of the use of the PI, including an account of use by a third party,
- Individuals may be required to provide additional information to allow an Org to determine and provide an account of the existence, use, and disclosure of already held PI.
- This specific information will be used only for this specific purpose.
- With respect to accounting of third party disclosures:
- Org should attempt to be specific,
- if unsure, Org must supply a list of third parties that it may have disclosed the PI to.
- Org. must respond in a reasonable amount of time to such requests, at no cost to the individual:
- the response must be in a format that is understandable (e.g., abbreviations and codes will be explained),
- Where an individual demonstrates an inaccuracy or incompleteness of PI:
- Org. must amend,
- amendments include corrections, deletions, or additions,
- where appropriate, the amended PI will be transmitted to third parties that have access to the inaccurate/incomplete PI in question.
- If an individual's challenge is not resolved to their satisfaction:
- Org must make a record the substance of the challenge,
- Org must notify third parties that have access to the PI in question of the existence of the challenge.
Principle 4.10, Challenging Compliance
- Individuals are able to challenge an Org's compliance with all of the above principles:
- directed to the individual(s) accountable for the Org's compliance.
- Org's accountable individuals described in Accountability principle, 4.1
- Org must put procedures in place to receive and process complaints or inquiries about their policies and practices regarding PI:
- complaint procedure must be easily accessed and simple to use.
- Org must inform individuals who make inquiries of the existence of complaint procedures.
- Org must investigate all complaints:
- if complaint is justified, Org must amend its policies and practices as appropriate.