The Personal Information Protection and Electronic Documents Act (PIPEDA or the PIPED Act) is a Canadian law relating to data privacy. It governs how private sector organizations collect, use and disclose personal information. Personal information includes information in any form, such as age, name, ID numbers, income, opinions, social status, employee files, credit records from expenses and other credit cards, intentions (for example, to change jobs). It is important to know that personal information does not include the name, title, business address or telephone number. In general, your personal information should only be collected, used and disclosed with your knowledge for legitimate purposes and in a way that keeps it secure and confidential.
PIPEDA lists 10 principles of fair information practices, which are outlined below:
- Accountability: Organization must appoint someone to be responsible for privacy issues and inform about a privacy policies and procedures to available to customers.
- Identifying purposes: Organization must identify the reasons for collecting your personal information before or at the time of collection.
- Consent– Organizations should clearly inform you of the purposes for the collection, use or disclosure of personal information.
- Limiting collection– Organizations should limit the amount and type of the information gathered to what is necessary.
- Limiting use, disclosure and retention – In general, organizations should use or disclose your personal information only for the purpose for which it was collected, unless you consent. They should keep your personal information only as long as necessary.
- Accuracy– Organizations should keep your personal information as accurate, complete and up to date as necessary.
- Safeguards– Organizations need to protect your personal information against loss or theft by using appropriate security safeguards.
- Openness– An organization’s privacy policies and practices must be understandable and easily available.
- Individual access– Generally speaking, you have a right to access the personal information that an organization holds about you.
- Recourse(Challenging compliance) – Organizations must develop simple and easily accessible complaint procedures. When you contact an organization about a privacy concern, you should be informed about avenues of recourse.
Be careful about sharing personal information or letting it circulate freely. When you are asked to provide personal information, ensure you understand how it will be used, why it is needed, who will be sharing it and how it will be keep in safe. Read privacy policies and ask questions.