Personal Information Protection and Electronic Documents Act

From Wikipedia, the free encyclopedia

PIPEDA (the Personal Information Protection and Electronic Documents Act) is a Canadian law governing how private sector organizations collect, use and disclose personal information in the course of commercial business. PIPEDA was passed in the late 1990s to promote consumer trust in electronic commerce. The act was intended to reassure the European Union that Canadian privacy laws were adequate to protect the information of European Citizens.

PIPEDA incorporates and makes mandatory provisions of the Canadian Standards Association's Model Privacy Code of 1995.

The law gives individuals the right to

  • know why an organization collects, uses or discloses your personal information
  • expect an organization to collect, use or disclose your personal information reasonably and appropriately, and not use the information for any purpose other than that to which you have consented
  • know who in the organization is responsible for protecting your personal information
  • expect an organization to protect your personal information by taking appropriate security measures
  • expect the personal information an organization holds about you to be accurate, complete and up-to-date
  • obtain access to your personal information and ask for corrections if necessary
  • and complain about how an organization handles your personal information if you feel your privacy rights have not been respected.

The law requires organizations to obtain consent when they

  • collect, use or disclose your personal information
  • supply an individual with a product or a service even if you refuse consent for the collection, use or disclosure of your personal information unless that information is essential to the transaction
  • collect information by fair and lawful means
  • and have personal information policies that are clear, understandable and readily available.

Though the Act requires that affected organizations comply with the CSA Model Code for the Protection of Personal Information, there are a number of exceptions to Code where information can be collected, used and disclosed without the consent of the individual. Examples include for investigations related to law enforcement or in the event of an emergency. There are also exceptions to the general rule that an individual shall be given access to his or her personal information.

Any individual who believes that an affected organization is not following PIPEDA is able to complain to the Privacy Commissioner of Canada, who investigates the complaint. The Commissioner does not have any remedial powers, but issues a report on the investigation. After receiving the report, the individual may proceed to the Federal Court of Canada, which is able to order compliance and award damages.

The implementation of PIPEDA occurred in three stages. 1 Starting in 2001, the law applied to federally regulated industries (such as airlines, banking and broadcasting). In 2002 the law was expanded to include the health sector. Finally in 2004, any organization that collects personal information in the course of commercial activity was covered by PIPEDA.

[edit] External links