Business | 15 min read
The PIPEDA Compliance Checklist: All You Need To Know When Doing Your Business In Canada
Laws are made to be broken. However, this principle is not always suitable. When it concerns business and personal information processing, you must follow all existing rules.
In this article:
Each region has a set of essential regulations for all businesses that process the personal data of users. If you have already visited our blog, you’ve come across articles about GDPR, CCPA, HIPAA. These regulations act in various world regions, and they are related to different business niches.
But there is another regulation we also want to cover. It is called PIPEDA, and it is working in Canada. This article will explain what PIPEDA is, how to become PIPEDA compliant, and other important information if you plan to launch your business in Canada.
What Is PIPEDA Compliance?
For a start, we need to explain what the PIPEDA abbreviation stands for. PIPEDA is the Personal Information Protection and Electronic Documents Act. This is the federal law that applies to Canadian businesses. It covers the gathering, usage, and disclosure of personal information within the commercial activity on almost all Canadian provinces’ territory.
Why not all provinces? Additional similar regulations related to information protection work in Alberta, Quebec, and British Columbia. PIPEDA also regulates the transfer of personal information between countries and provinces.
The PIPEDA regulation was created in April 2000. And first, it was a law that regulated trust in the eCommerce field. Then, in January 2004, the PIPEDA regulation was widened, and it became a federal privacy law for organizations of such private sectors as banking, healthcare, broadcasting, eCommerce, etc.
The main rules of PIPEDA claim that a person has the right to have permanent access to all personal information used by a specific organization. All persons should know who collects their personal information, the purpose of collection, and whether the collected data is accurate or not.
Qualified consultation before software development plays a crucial role. Do you need our assistance? Contact Cadabra Studio right now.
What is the Personal Information of PIPEDA?
The PIPEDA law classifies personal information as any information that collects the following data about each individual:
Name, age, financial data, ID number;
Ethnicity, nationality, or race;
Comments, social status, opinions, assessments;
Employment, education, and medical records;
Driver’s license, social insurance number;
Credit history and loan files.
As you can see, if you want to build a healthcare app, financial app like mobile-only banking, or any other app that requires the processing of personal data — you must ensure PIPEDA compliance.
If you want to know how to create a healthcare app, you will find a healthcare app development guide in our blog. As for banking app development — there is an article about mobile-only banking software creation.
However, there are some types of data that don’t fall under the PIPEDA rules. For example, when federal authorities listed under the Privacy Act process personal data (an active law in Alberta, British Columbia, and Quebec).
When a company’s management team collects employees’ contact data for individual use only — they don’t need to comply with the PIPEDA act.
When one person gathers, processes, or shares the information only for individual purposes.
Or when the company uses and gathers personal information for journalistic or artistic purposes only.
Is PIPEDA Active In All The Territory Of Canada?
PIPEDA is active around the whole Canadian region, but some provinces have the right not to make their businesses compliant with PIPEDA if they fall under similar privacy legislation. Thus, these provinces are exempted from the PIPEDA compliance.
As we noted above, provinces like Quebec, British Columbia, and Alberta use local laws that stipulate personal information processing, protection, and usage. So if you create a business that will work in one of these provinces, you should know everything about local laws.
As for international business, foreign companies must follow all PIPEDA rules. Even if the company is represented online only, it must get PIPEDA certification and abide by all regulations.
So, Who Must Be PIPEDA Compliant?
Now you want to know precisely whether your company must be PIPEDA-compliant or not. As stated in the Canadian law, all organizations that are not federally regulated must comply with PIPEDA regulation if they gather, process, or disclose personal data during commercial procedures. However, federal organizations are also PIPEDA-compliant if they use employees’ information for commerce.
Based on those above, almost every app that uses personal data will be PIPEDA-compliant on the Canadian territory or compliant with a local data protection law that is in force in one of three provinces (as we described in the section above).
PIPEDA Compliance Checklist
What should you do to make your business PIPEDA-compliant? You must get acquainted with ten principles PIPEDA includes. Also, we recommend you ensure that your business follows all these principles and use the self-assessment tool that is available on the official website of the Privacy Commissioner of Canada.
We will list all ten principles to provide you with the PIPEDA compliance checklist.
#2. Identifying purposes. When you gather data or plan to do it, you must notify users about the reasons for this kind of activity. Simply put, why you do it.
#3. Consent. You cannot start any activity without the prior consent of a user. Thus, users should be notified that their data will be collected, and they need to give their consent for it.
#4. Limiting collection. The information collected must be limited to specific purposes you do it for.
#5. Limiting use and disclosure. You cannot use or disclose the users’ information for purposes other than required for a specific activity type.
#6. Accuracy. All customers’ data must be complete and accurate. So it is essential to make sure that the information is up to date when you process it.
#7. Safeguards. Your users must feel safe. Thus, you need to show them that all appropriate safeguards are used to protect their sensitive information from malefactors.
#8. Openness. Customers should always be able to get acquainted with the security practices you use, reasons why you use and disclose their information, etc. All their questions that concern their data processing should be answered immediately.
#9. Individual access. All users have the right to request all information about their information you process, and you must provide them with it within 30 days. If they find some data to be inaccurate or outdated, they can demand to update it within the shortest possible time.
#10. Challenging compliance. If users have any concerns about your company’s PIPEDA compliance, they can create a claim and send it to the appropriate government organization. After the investigation, the user will receive a detailed report containing investigation results.
These all ten principles your business must follow to become PIPEDA-compliant in Canada and get a PIPEDA compliance certificate. It is recommended that you hire an officer who will inspect your business processes and help you ensure compliance.
It will also be crucial to build a risk management team that will work with users’ complaints, update their data when necessary, and resolve all arising issues. Yes, it will require additional investments, but you will be able to avoid permanent investigations made by the Privacy Commissioner Officer since users will contact your support team in case of any disputes.
Is your future software complicated? Should it be compliant with different government regulations? You need the assistance of an experienced development team that knows how to implement it. Contact Cadabra Studio for software development!
PIPEDA Data Security Compliance
Don’t forget to train your team to communicate with customers and know everything about privacy protection.
Restrict the access to private information for anyone who doesn’t need to see it.
It is recommended not to request sensitive data like driver’s license or PIN unless it is required in a specific case.
Respond to any user’s request concerning information processing as soon as possible and make sure that users know a contact person they can communicate with.
If any breach occurred, mind to notify users about it as soon as possible and take appropriate action to remedy all violations.
PIPEDA Violation Consequences
Following the last tip we provided in the previous section, it will be essential to explain what violation consequences exist if any data breach occurs.
If your company violates PIPEDA requirements of data protection and breach reporting, it may be fined up to CAD 100,000 per one violation.
It is worth noting that until 2018, all reports about data breaches were voluntary. Today you must report all violations and breaches that may harm users’ personal data. Moreover, all records about breaches must be kept by your company within two years (24 months). Non-compliance with these rules will be the reason for additional fines and restrictions for your company.
Important! Remember that you must notify users and the Office of the Privacy Commissioner of Canada as quickly as possible after the data breach discovery. Otherwise, your business will be at risk.
Apart from administrative penalties, criminal prosecution is also possible. If you purposely destroy the information when you receive a request to investigate this information. Furthermore, deliberate non-compliance with PIPEDA requirements will also be the reason for criminal prosecution. Finally, if you knowingly ignore the investigation when you receive the complaint — it is a criminal offence.
PIPEDA AWS Compliance
Many business owners have concerns regarding the utilization of cloud infrastructure like AWS (Amazon Web Services) in the territory of Canada. They want to know how to use AWS solutions along with PIPEDA compliance. Won’t it be a problem? Let’s find it out.
Since AWS doesn’t know what type of information customers upload to servers, and AWS cannot identify what data falls under the PIPEDA application, customers are responsible for PIPEDA compliance themselves.
Thus, you can use this cloud infrastructure easily and follow all PIPEDA regulations according to your business particularities. You can precisely control all data stored in the AWS cloud. But if you have any questions, specialists from AWS Canada Region are always available to help you solve all issues. Their qualification level will be enough to help you achieve a high security and protection level and ensure compliance with existing legislation, including PIPEDA.
Differences Between PIPEDA And GDPR
We think that it is necessary to explain what differences PIPEDA and GDPR have. These regulations work not only in different regions, but they are not the same as well. Some people may confuse these regulations, that is why we have prepared their main differences.
Consent for data processing. PIPEDA-compliant companies can receive explicit or implicit consent, depending on their decision. But the GDPR requires explicit consent only.
Extraterritoriality. The GDPR contains an extraterritoriality clause describing data processing particularities by companies outside the EU. In PIPEDA, there is no similar clause.
Applicability criteria. The GDPR applies to anyone (company or person) who processes, uses, and discloses EU citizens’ sensitive data. In contrast, PIPEDA works only when personal information is used for commercial purposes.
Right to be forgotten. Users in the EU may request their data deletion if they want. This clause is not stipulated in PIPEDA.
Data breach notification timeframe. According to the GDPR, companies need to notify about a data breach within 72 hours once they discover it. PIPEDA requires companies to inform all involved parties as quickly as possible, but there is no specific time range.
If you want to know more about the GDPR, check the GDPR compliance checklist in our blog.
HIPAA vs. PIPEDA
We cannot ignore HIPAA and PIPEDA differences if you plan to create a healthcare app for Canada. HIPAA (Health Insurance Portability and Accountability Act) works in the USA, it helps protect personal health information, and it governs the security of healthcare software. All organizations that use healthcare software must be HIPAA-compliant.
As for PIPEDA in Canada, healthcare organizations that build software for their patients must be PIPEDA-compliant only if they use this data in commercial activity. If so, they must provide patients and physicians with permanent access to their data and detailed explanations of the reasons why this data is collected.
However, if you create a healthcare app for the Ontario province, there is legislation equivalent to HIPAA called PHIPA (Personal Health Information Protection Act) your app must be compliant with. And the main difference with PIPEDA is that all information gathered, used, and disclosed by health custodians (doctors, nurses, hospitals, labs, etc.) must apply to PHIPA, even if it is not performed for commercial activity. In comparison, PIPEDA relates to commercial activity only.
The article about HIPAA compliance will help you spell everything out.
Now you can start making your PIPEDA-compliant software. Ensure that your business follows all the principles of PIPEDA, and you won’t face any trouble. However, don’t forget that your business should have reliable software.
Cadabra Studio is always on duty, and we are ready to help you with compliance issues and software development from scratch. Not without reason, Cadabra Studio is a troubleshooting company. Contact us right now, and we promise that any problem will be solved. That is what we do.