PIPEDA (Personal Information Protection and Electronic Documents Act) – An Act to extend the present laws that protect the privacy of individuals and that provide individuals with a right of access to personal information about themselves.
SpeedMatchApp privacy standards are based on the Principles Set Out in the National Standard of Canada Entitled Model Code for the Protection of Personal Information, http://laws-lois.justice.gc.ca/eng/acts/P-8.6/page-11.html#h-26 It addresses: the ways in which organizations collect, use and disclose personal information; the rights of individuals to have access to their personal information; and the right to have it corrected, if necessary: http://laws-lois.justice.gc.ca/eng/acts/P-8.6/page-11.html#h-26 The Model Code’s 10 principles are (These principles are usually referred to as “fair information principles”. They are the foundation of PIPEDA. )
Principle 1 - Accountability An organization is responsible for personal information under its control. It must appoint someone to be accountable for its compliance with these fair information principles.Principle 2 - Identifying Purposes The purposes for which the personal information is being collected must be identified by the organization before or at the time of collection.
Principle 3 - Consent The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
Principle 4 - Limiting Collection The collection of personal information must be limited to that which is needed for the purposes identified by the organization. Information must be collected by fair and lawful means.
Principle 5 - Limiting Use, Disclosure, and Retention Unless the individual consents otherwise or it is required by law, personal information can only be used or disclosed for the purposes for which it was collected. Personal information must only be kept as long as required to serve those purposes.
Principle 6 - Accuracy Personal information must be as accurate, complete, and up-to-date as possible in order to properly satisfy the purposes for which it is to be used.
Principle 7 - Safeguards Personal information must be protected by appropriate security relative to the sensitivity of the information.
Principle 8 - Openness An organization must make detailed information about its policies and practices relating to the management of personal information publicly and readily available.
Principle 9 - Individual Access Upon request, an individual must be informed of the existence, use, and disclosure of their personal information and be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
Principle 10 - Challenging Compliance An individual shall be able to challenge an organization’s compliance with the above principles. Their challenge should be addressed to the person accountable for the organization’s compliance with PIPEDA, usually their Chief Privacy Officer.
Canadian GDPR Adequacy designation
It is important to note that PIPEDA has been recognised as providing an adequate level of privacy protection relative to the GDPR. This “adequacy” determination, one of the original reasons of enacting PIPEDA, permits Canadian organisations to process personal information of EU residents without having to comply with the “Privacy Shield” which governs U.S. companies.
While a review of compliance requirements under the GDPR reveals that many are reflected in Canadian privacy law already, a number are potentially more rigorous. SMA updated its procedures, documents and policies to meet the following additional new compliance requirements:
Breach reporting.
The requirement for reporting of breaches to the relevant “data protection authority”, where feasible,
within 72 hours of the occurrence. As we know, PIPEDA has been amended to provide for reporting of breaches,
as well as notification of affected individuals – another new GDPR requirement. However these new PIPEDA
rules do not stipulate a specific time period for reporting.
Accountability.
A key new GDPR compliance requirement is internal organisational accountability, specifically the
establishment of a comprehensive data protection program. Such a program must include documented policies
and procedures, maintaining detailed records of all data processing activities, guided by the principle of
“privacy by design and by default”. While some features of this requirement go beyond what is dictated
expressly under PIPEDA, Canadian businesses again are familiar with this overall dictate which is consistent
with guidance issued by the federal and provincial Privacy Commissioners.
Substantive privacy rights.
The GDPR also stipulates a number of new or enhanced substantive privacy rights for individuals which
organisations will need to address and build into their privacy protection procedures, including the
following:
Consent
Must be a freely given, specific, informed and unambiguous indication of the data subject's agreement to the
processing of his or her personal data and must be given by a statement or a clear affirmative action.
Right to erasure (“right to be forgotten”)
- Broader than under the Directive and not specifically provided for under Canadian privacy laws.
Right of individuals to restrict processing of their data
- E.g. as when accuracy is challenged - expanded.
Data portability
– The right of individuals to transfer their data from one data collector to another