What are my business's responsibilities under PIPEDA?

What are my business's responsibilities under PIPEDA?

Text appears on screen: What are my business’s responsibilities for under PIPEDA?

Narrator: PIPEDA includes 10 fair information principles that all businesses subject to the Act must follow. Let’s look at a few highlights from each principle to give you a sense of what your business can do to fulfill its responsibilities.

[In the background on the screen, there is a photo of a woman in business clothing talking on the phone. Ten icons representing the 10 fair information principles appear on the screen in the foreground.]

Narrator: Keep in mind that this is just an overview of your responsibilities—the Privacy Guide for Businesses outlines each of the principles in more detail and can link you to other helpful resources.

[The icons are replaced by the logo of the Office of the Privacy Commissioner of Canada.]

Text appears on screen: Fair information principle 1: Accountability

Narrator: The first principle is “Accountability”. Your business is responsible for the personal information under its control. In other words, it must be accountable.

[An icon of a clipboard with a checkmark on it appears, then, an icon representing a small business appears. Then, a checkmark appears between the two. The small business icon disappears and is replaced by the following checklist:]

Narrator: That means:

• Appointing someone to be responsible for PIPEDA compliance—for example, a Chief Privacy Officer
• Protecting all personal information, including any that gets transferred to a third party, and
• Developing and implementing policies and practices to protect personal information
• It’s important to tell employees and customers who your designated privacy official is and how to contact them
• In order to show your accountability, you should also make sure that all front line employees are able to explain your company’s privacy policies to customers

Text appears on screen: Fair information principle 2: Identifying purposes

Narrator: The next principle is “Identifying purposes”.

You have to be able to clearly explain to your customers what personal information you’re collecting and why, and this needs to happen before or at the time of collection.

[An icon of a target with an arrow in the bullseye appears on the screen. Then, an icon of a person appears beside it. The person icon disappears and the following checklist appears:]

Narrator:

• That means reviewing all the personal information your business holds to make sure it’s required for a specific purpose
• It also means that when you request personal information from a customer, you explain your reasons for collecting it
• If you’re not sure how to define your purposes, think about what a reasonable person would consider appropriate under the circumstances
• Keep the definition as clear and as narrow as possible so it’s easy to understand how the information will be used
• Keep a record of all these identified purposes and the consents your business has obtained

Text appears on screen: What do you think? What should all employees be trained on when it comes to privacy policies?

• What valid and meaningful consent is and when and how it must be obtained
• Who in the company receives privacy-related questions and complaints
• How to recognize and process requests for access to personal information
• All the above

[All of the above is highlighted as the correct answer.]

Feedback: Employees should also know how to respond to public inquiries regarding privacy policies and be aware of any initiatives relating to personal information protection.

Text appears on screen: What do you think? A company takes the time to document every purpose it has for collecting personal information. Is this really necessary?

• Definitely
• No, that’s excessive

[Definitely is highlighted as the correct answer.]

Feedback: Not only is documenting identified purposes a requirement, it also helps businesses determine what personal information to collect in the first place.

Text appears on screen: Fair information principle 3: Consent

Narrator: The third fair information principle is “Consent”.

Businesses that wish to collect, use or disclose personal information have to ask for and obtain permission.

[An icon appears on the screen with a speech bubble in it. There is a checkmark inside the speech bubble. Then, an icon representing a small business appears next to it, followed by an icon of a person. Finally, a checkmark appears between the business and person icons.]

Narrator: This gives your customers greater control over their personal information. You may have noticed that a lot of privacy policies and terms of use are long and full of legal jargon. Your business must provide information to customers in a clear, timely, user-friendly way. That will help to ensure that the consent your customers give is meaningful.

[The icon representing a small business, the checkmark and the icon of the person disappear. Then, next to the speech bubble icon the following checklist appears:]

Narrator: Businesses need to clearly explain to customers:

• What personal information is being collected
• Why they’re asking for this personal information
• Who they’re going to share it with, and
• Any potential harms that may arise from collecting or sharing their information

[The speech bubble icon disappears and the logo for the Office of the Privacy Commissioner appears.]

Narrator: Consent is a key element of PIPEDA. You can read more about it in the Privacy Guide for Businesses as well as the OPC’s Guidance on obtaining meaningful consent.

Text appears on screen: What do you think? As long as a company provides customers with some kind of explanation about how personal information is being used, they’ve met consent requirements.

• That sounds right
• No, I don’t think so

[No, I don’t think so is highlighted as being the correct answer.]

Feedback: Not quite. Under PIPEDA, businesses must obtain meaningful consent for the collection, use and disclosure of personal information. Consent is considered meaningful when individuals are provided with clear, timely information explaining how their personal data is being used. The purposes for collection must be ones a reasonable person would consider appropriate in the circumstances.

Text appears on screen: Fair information principle 4: Limiting collection

Narrator: The fourth fair information principle is quite simple: Limit the personal information your business collects to only what is needed to fulfill a legitimate purpose.

[A circle with an icon representing a person appears. There is also a hand in the circle, signalling, “stop”. Beside it, the following checklist appears:]

Narrator:

• Always be honest with your customers about why you’re collecting the information—it’s against the law to mislead or deceive customers about the purpose.
• Remember: it’s much safer to collect less information than too much. That reduces the risk of it being inappropriately accessed, used or lost.

Text appears on screen: Fair information principle 5: Limiting use, disclosure and retention

Narrator: The fifth principle is all about limiting how you use, disclose and retain personal information:

[A circle appears on the screen with an icon representing a person in it. The person icon is surrounded by a darker coloured circle. A triangle has been cut out of the circle, like a part of a pie chart representing restraint in use of information. Beside it, the following checklist appears:]

Narrator:

• Only use personal information for the reasons you’ve told the customer. If you want to use or disclose the information for a new purpose, obtain fresh consent
• Don’t keep the information any longer than you need it
• You can only keep personal information for as long as it fills its intended purpose. After that, you must destroy or erase the information
• Information must be disposed of securely to prevent a privacy breach. That could mean securely shredding paper files or effectively deleting electronic records

Text appears on screen: What do you think? If a company gets a customer’s consent to use their information for one purpose, they’re allowed to use it for something else.

• Yes, that makes sense
• No, that doesn’t seem right

[No that doesn’t seem right is highlighted as the correct answer.]

Feedback: A business cannot use the information collected for a different purpose unless they obtain the customer’s clear and meaningful consent.

Text appears on screen: What do you think? Should all employees have access to the personal information a company holds?

• Yes, absolutely
• No, I don’t think so

[No I don’t think so is highlighted as the correct answer.]

Feedback: Absolutely not. Employees should only have access to the information they need as part of their job. Your business should take appropriate action when information is accessed without authorization.

Text appears on screen: Fair information principle 6: Accuracy

Narrator: The sixth fair information principle is “Accuracy”. Make sure that the personal information your business holds is as accurate, complete and up-to-date as necessary to fulfill the purpose you collected it for.

[A circle appears with a pair of glasses inside it so that the circle looks like a face. Beside it, the following checklist appears:]

Narrator:

• Have policies to govern what types of information need to be updated. This will minimize the possibility of using incorrect information when making a decision about an individual or disclosing the information to a third party
• Always ask yourself if any harm might come to your customer if you were to disclose wrong or outdated information

Text appears on screen: Fair information principle 7: Safeguards

Narrator: “Safeguards” is the seventh principle.

Use appropriate security safeguards to protect personal information against loss, theft, unauthorized access, disclosure, copying, use or modification. The more sensitive the personal information is, the stronger your security safeguards should be.

[A circle appears on the screen with a shield icon inside it. Beside it, the following checklist appears:]

Narrator:

• That means putting in place: Physical measures such as locked cabinets and alarm systems, organizational controls, like security clearances and staff training and technological tools, such as passwords or encryption
• Test your technology for vulnerabilities. Make sure that any old systems or databases aren’t vulnerable if you upgrade to newer technology. There are off-the-shelf solutions and security specialists that can help with this
• It’s also important to know your industry. Hackers will often try the same tricks against multiple businesses. The more aware you are, the better chance you have of avoiding the same pitfalls

Text appears on screen: What do you think? How can my company be proactive on accuracy?

• Frequently ask yourselves whether using or disclosing out-of-date or incomplete information could harm the customer
• Have and implement policies on what types of information need to be updated
• Know what information your business requires in order to provide a service and be aware of where the information is stored
• All of the above

[All of the above is highlighted as the correct answer.]

Feedback: Your company must also keep records about when information is obtained or updated and what steps were taken by employees to ensure the information is up-to-date. This could involve reviewing your records or contacting your customers.

Text appears on screen: What do you think? Once a company has a set of safeguards in place, it’s fulfilled its responsibilities to protect personal information.

• Yes, exactly
• No, not quite

[No, not quite is highlighted as the correct answer.]

Feedback: Once security safeguards are in place, it’s important to review them regularly to make sure they’re up to date, and that any known vulnerabilities have been addressed.

Text appears on screen: Fair information principle 8: Openness

Narrator: The eighth fair information principle is “Openness”.

[A circle appears on the screen with a pair of hands inside it. The hands are holding up a circle with the letter “i” inside it. Beside it, the following checklist appears:]

Narrator:

• Show customers you take their privacy seriously by letting them know that your business has established policies and practices for managing their personal information
• And make sure these policies are understandable and readily available
• Put up signs, post information on your website and look for other ways to actively share this information

Text appears on screen: Fair information principle 9: Individual access

Narrator: The ninth principle is “Individual access”.

Your customers generally have the right to see the personal information your business holds about them. They also have the right to challenge the accuracy and completeness of the information, and to have that information changed as appropriate.

[A circle appears with a hand inside it. Above the hand is a key. It looks like the hand is offering or receiving the key. Beside it, the following checklist appears:]

Narrator:

Be ready to respond to requests for access:

• When asked, let people know what personal information your business holds about them
• Explain how that information is being used and who it’s being shared with, and
• If a customer requests it, provide them with a copy of the information or allow them to view or review a recording of the information
• You have to respond to requests as quickly as possible. Thirty days is the standard response time limit
• You also have to make sure you document any disputes and advise third parties where appropriate

Note that there are exceptions to the Access principle.

• For example, a business may not need to provide access if doing so would reveal personal information about another person or if the information is protected by solicitor-client privilege

The Privacy Guide for Businesses provides further guidance, including other exceptions to the Access principle.

[The circle with the hand and key disappear. The logo of the Office of the Privacy Commissioner appears.]

Text appears on screen: What do you think? When a company provides information to customers about its access policies and procedures, what should they include?

• Who is responsible for access requests and how to contact them
• How people can gain access to their personal information
• How to file a complaint
• All the above

[All of the above is highlighted as the correct answer.]

Feedback: All of this information should be provided in easy-to-understand terms. Information about privacy practices should also list what personal information your company will disclose to other organizations and why.

Text appears on screen: What do you think? How can a business make sure that requested information is understandable to customers?

• Explain acronyms
• Spell out abbreviations
• Describe codes
• All the above

[All of the above is highlighted as the correct answer.]

Feedback: These are all good ways to make requested information more understandable to customers.

Text appears on screen: Fair information principle 10: Challenging compliance

Narrator: The tenth and final principle is “Challenging compliance”. People have the right to challenge your business’s compliance with the 10 fair information principles. They also have the right to effective recourse if their personal information was mishandled.

[A circle with a speech bubble inside it appears. There is an exclamation point inside the speech bubble. Beside it, the following checklist appears:]

Narrator:

• Let customers know that if they have any questions or concerns about how you handle their personal information, they can contact your business’s designated privacy official
• Develop simple and accessible complaint procedures, and investigate all complaints your business receives
• If your investigation uncovers problems, take appropriate measures to address your personal information handling practices

Text appears on screen: What do you think? PIPEDA compliance is the only reason to handle privacy complaints and challenges in a clear and fair manner.

• Yes, definitely
• No, there’s more to it than that

[No, there’s more to it than that is highlighted as the correct answer.]

Feedback: Handling complaints fairly can help to preserve or restore a customer’s confidence and trust in a company.

Narrator: All businesses must follow the 10 fair information principles to protect personal information.

[All ten of the fair information principles appear on the screen:]

• Accountability
• Identifying purposes
• Consent
• Limiting collection
• Limiting use, disclosure and retention
• Accuracy
• Safeguards
• Openness
• Individual access
• Challenging compliance

Narrator: Being proactive on privacy means you can enjoy the confidence and trust of your customers.

[The ten fair information principles disappear and the logo of the Office of the Privacy Commissioner appears.]