"PIPEDA" Is an acronym for the "Personal Information Protection and Electronic Documents Act". It is a federal law of Canada. The following are notes on the law and a summary of its key points. The summary begins under the "PIPEDA Main Sections" section. HowverHowever, the most easily understood and most relevant to this project is the last part, namely, "Schedule 1". Schedule 1 addresses concretely the requirements for organizations that collect, use, and disclose privacy information. The notes for Schedule 1 appear last.
- after receiving the Commissioner's report, or if notified that the Commissioner discontinued the investigation, the complainant can pursue the matter in Court
- certain aspects of Schedule 1, "Principles of Protection of Personal Information", are also relevant to a complainant's application to the Court, specifically 4.1.3, 4.2, 4.3.3, 4.4, 4.6, 4.7 or 4.8.
- complainant shall make an application to the Cournt Court within one year after the Commissioner's report or notification of discontinued investigation
- the Commissioner may apply to the Court if the Commissioner has the consent of the complainant
- the Commissioner may appear on behalf of the complainant
- the Commissioner may appear as a party to any hearing pursued by the complainant
- the Court may, in addition to any other remedies it might give, order an Org
- to correct its practices,
- to publish a notice of any proposed action or action taken to correct its practices,
- award damages to the complainant
- Individuals can request the existence, use, and disclosure of their PI and have access to that PI:
- can challenge the accuracy and completeness of the PI,
- can have the PI amended,
- BUT, Org can limit access:
- if access to prohibitively costly,
- if PI contains references to other individuals,
- if there exist legal, security, or commerical propietary commercial proprietary reasons prohibiting disclosure,
- if PI is subject to solicitor-client or litigation privilege.
- Upon request, org must acknowledge whether they hold PI,
- Orgs are encouraged to indicate the source of the PI,
- Orgs must allow access to the PI; however, sensitive information may be released by another person. Example: medical records may be released to the individual's health-care provider who will then pass the PI on to the individual,
- Orgs must provide an account of the use of the PI, including an account of use by a third party,
- Individuals may be required to provide additional information to allow an Org to determine and provide an account of the existence, use, and disclosure of already held PI.
- This specific information will be used only for this specific purpose.
- With respect to accounting of third party disclosures:
- Org should attempt to be specific,
- if unsure, Org must supply a list of third parties that it may have disclosed the PI to.
- Org. must respond in a reasonable amount of time to such requests, at no cost to the individual:
- the response must be in a format that is understandable (e.g., abbreviations and codes will be explained),
- Where an individual demonstrates an inaccuracy or incompleteness of PI:
- Org. must amend,
- amendments include corrections, deletions, or additions,
- where appropriate, the amended PI will be transmitted to third parties that have access to the inaccurate/incomplete PI in question.
- If an individual's challenge is not resolved to their satisfaction:
- Org must make a record the substance of the challenge,
- Org must notify third parties that have access to the PI in question of the existence of the challenge.