"PIPEDA" Is an acronym for the "Personal Information Protection and Electronic Documents Act". It is a federal law of Canada.
PIPEDA dictates how organizations must handle personal information about an individual. Examples of personal information include, but are not limited to, credit card information, driver’s licence, pictures, bank account information, phone numbers, and email addresses.
PIPEDA defines an organization's legal responsibilities with respect to the way they collect, use, and disclose PI. Within this document, the terms "personal information", “organization”, "collect", "use", and "disclose" are used as defined by PIPEDA. They are defined briefly, with examples, as follows:
Information about an identifiable individual. Examples include name, address, and credit card information.
Includes an association, a partnership, a person and a trade union.
Collection of personal information
An organization gathers personal information from a user and optionally stores it internally. Collection is always internal in the sense that the information does not leave the confines of the organization. For example, a site may request a user to enter their name, address, and credit card, and then store them on an internal server.
Use of personal information
An organization or service uses collected personal information for the purposes for which it was collected. Like collection, use is internal to the organization. As an example, an organization uses credit card information when an individual purchases an item from the organization’s web site. Later, the organization uses the individual's address to ship the item to them.
Disclose personal information
An organization shares information it has collected with external third parties. One way disclosure of personal information can occur is when an organization transmits personal information electronically to another party for their use. For example, when an individual makes a credit card purchase through an organization’s web site, the organization must transmit the credit card information to the credit card company itself to realize the purchase. Such transmission is a form of disclosure.
An organization’s legal responsibility with respect to collecting, using, and disclosing personal information is realized through two kinds of policies -- a policy for collecting, using, and disclosing personal information, and a policy for inquiries and complaints.
Secondly, organizations are required to publish a policy regarding how users can make inquiries about the personal information that the organization has collected. Inquiries include:
A request for a copy of all of the user’s personal information,
Checking personal information for accuracy, and providing corrections to the organization,
Information about how the personal information has been used internally, and what has been disclosed to third parties and why, and
Registering a complaint with the organization about the organization’s failure to follow their own privacy policies.
Since PIPEDA is a law, failure on the part of an organization to openly publish policies or to follow the policies they have published can lead to audits by the privacy commissioner, fines, or lawsuits.
IDRC Privacy Preferences Design
IDRC’s privacy preferences design encompasses a set of privacy preferences, user interface, and information model for capturing, storing, and transmitting a user’s privacy preferences. The preferences afford users the ability to detail the level of privacy they want to assert with respect to various types of personal information.
Although the terminology is not the same, privacy preferences are statements by a user about the ways they want their personal information to be collected, used, or disclosed. For example, one of the preferences in the design relates to tracking of the user’s location. Users can specify that they want to block all location tracking. Blocking is equivalent, in PIPEDA terminology, to not allowing collection, use, nor disclosure of location information. Or, the user may choose to share their location with some services, but not others, e.g, share their location with Google maps, but not with Flixster (a movie locator and ticket purchasing service). Here, “sharing” is equivalent to allowing collection and use by the Google maps service only.
Relationship Between PIPEDA and Privacy Preferences Design
There are three points of intersection between PIPEDA and privacy preferences design.
A minor relationship involves the privacy preferences themselves. Since they are personal preferences, they are a type of personal information and are subject to PIPEDA. The implication is that any organization that uses Privacy Preferences Design is collecting, using, and/or disclosing personal information in the form of preferences. As such, the organization must establish and publish policies that define what is collected, why it is collected, how it is used, and how and why it is disclosed. Note that In this case, one of the main reasons for the preferences it to share (disclose) them with other parties to ensure that the user’s privacy needs are met.
Nonetheless, privacy preferences are relatively low in terms of sensitivity. By comparison, credit card information is much more sensitive and can cause an individual greater harm if not kept private. The implication is that an organization’s privacy policies with respect to preferences is relatively simple: state that the collection, use, and disclosure of these preferences is to enhance an individual’s privacy with respect to more sensitive personal information, and that it is beneficial to the user to collect, use, and disclose this kind of personal information compared to other kinds.
Privacy preferences design affords users a finer degree of control over the collection, use, and disclosure of their personal information, since it provides specific directives for various kinds of personal information, and for groups of web sites or services. In addition, given that the preferences are digitally encoded, they are easily transferred and used in other contexts. That is, the user does not have to re-enter their preferences on site-by-site, service-by-service, or app-by-app basis.
Note that this relationship resonates with some of the seven prinicples of Privacy by Design. In that regard, it is proactive on the part of the user (principle 1), it is visible and transparent (principle 6), and it is user centric (principle 7).
The main benefit here is that it is a user-centric solution since the user is in control. The organization is able to give the user exactly what they want in terms of privacy, instead of an all-or-nothing policy.
Another implication of this approach has to do with changes the user makes to their preferences over time. Sometimes this is due to the user changing their mind and either strengthening or relaxing the degree of privacy of some preference. In addition, users will add new preferences depending on contexts -- newly encountered services or different devices. The policy is thus dynamic.
The organization would still have to develop and publish an inquiry and complaint policy. For example, suppose the user encounters some odd behaviour that leads them to believe that some aspect of their personal information was used or disclosed without their knowledge or consent, and, more importantly, counter to their stated preferences. Suppose further they determined that a certain organization was responsible. They would then want to follow that organization’s inquiry policy so as to at least determine that the organization had an accurate and up-to-date copy of their preferences, or at worst, properly lodge a complaint with the organization. In order for a user to verify their preferences, the organization would have to publish an inquiry/complaint policy.