PIPEDA Demystified: What it applies to? What it Protects?

In the present day, where personal data is increasingly vulnerable to misuse, understanding the protections afforded by legislation like the Personal Information Protection and Electronic Documents Act (PIPEDA) is crucial. PIPEDA is Canada's federal privacy law governing how private sector organisations collect, use, and disclose personal information in the course of commercial activities.

What does PIPEDA apply to?

PIPEDA applies to private-sector organisations throughout Canada engaged in the collection, utilisation, or disclosure of personal information as part of their commercial activity. The term 'commercial activity' encompasses any specific transactions, actions, or conduct or any regular course of conduct of a commercial character.

Organisations subject to Provincial Privacy Laws:

Provinces of Alberta, British Columbia and Quebec have their own private-sector privacy laws that have been deemed substantially similar to PIPEDA. Organisations which are subject to a substantially similar provincial privacy law are generally exempt from the application of PIPEDA with respect to the collection, use or disclosure of personal information that occurs within that province.

Provinces of Ontario, New Brunswick, Nova Scotia and Newfoundland and Labrador have also adopted substantially similar legislation regarding the collection, use and disclosure of personal health information.

Organisations that handle information crossing Provincial or National borders:

All organisations that operate in Canada and handle personal information that crosses provincial or national borders in the course of commercial activities are subject to PIPEDA, irrespective of the province or territory in which they are based including provinces with legislation which are substantially similar to PIPEDA.

Federally regulated organisations:

Federally regulated organisations which conduct business in Canada are always subject to PIPEDA. The Act also applies to their employees’ personal information.

These organizations include:

• airports, aircraft and airlines;
• banks and authorized foreign banks;
• inter-provincial or international transportationcompanies;
• telecommunications companies;
• offshore drilling operations; and
• radio and television broadcasters.

Note: Organizations in the Northwest Territories, Yukon and Nunavut are considered federally regulated, and are therefore also covered by PIPEDA.

What does PIPEDA protect?

The main object of PIPEDA is to safeguard the personal information of individuals, ensuring that organisations indulged in commercial activity in Canada collect, use, and disclose it responsibly. Personal information, as defined by PIPEDA, includes any factual or subjective information about an identifiable individual, excluding publicly available information. This encompasses a wide range of data, such as:

• age, name, ID numbers, income, ethnic origin, or blood type;
• opinions, evaluations, comments, social status, or disciplinary actions; and
• employee files, credit records, loan records, medical records, online identifiers like IP addresses, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs).

What is not covered by PIPEDA?

In addition to its coverage, it's important to note what falls outside PIPEDA's jurisdiction. Examples include:

• Personal information managed by federal government entities governed by the Privacy Act
• Provincial or territorial governments and their representatives
• Business contact details like employee names, titles, and work-related contact information, used solely for professional communication
• Personal information handled for strictly personal reasons (e.g., a personal address book)
• Personal information collected, used, or disclosed for journalistic, artistic, or literary purposes
• Not-for-profit organizations, charities, and political parties, unless they engage in commercial activities unrelated to their primary objectives involving personal information
• Municipalities, universities, schools, and hospitals are typically governed by provincial laws, though PIPEDA might apply in specific circumstances.

Importance of protecting personal information:

Firstly, it ensures individuals' privacy rights are respected, fostering trust between consumers and organizations. Secondly, it mitigates the risk of identity theft, fraud, and other malicious activities. For example, if a company fails to adequately protect its customers' financial information, it could lead to unauthorized transactions and financial losses. Thirdly, it helps maintain Canada's reputation as a jurisdiction with strong privacy protections, which is vital for international trade and collaboration in the digital economy.

In essence, PIPEDA plays a pivotal role in safeguarding personal information in Canada. By understanding its provisions and adhering to its principles, organizations can uphold privacy rights, foster trust, and contribute to a safer and more secure digital environment for all Canadians.

This article is based on the provisions of the Personal Information Protection and Electronic Documents Act and information available on the website of Office of the Privacy Commissioner of Canada.