You are on page 1of 10

The 10 Privacy Principles of PIPEDA – Accountabilit12 The first principle of the 10 Privacy Principles of PIPEDA is Accountability.

1. Accountability
The principle of Accountability states that an organization shall designate someone to be accountable for the management of personal information. This includes the collection, usage, disclosure, retention, and transfer of personal information to third parties for processing. The Privacy Officer The title of the person performing this role is usually known as a Privacy Officer or a Chief Privacy Officer (CPO), depending on whether the role is at an executive level within an organization. It is not necessary to externally hire a privacy officer for the position. Many organizations simply choose to promote and train someone to this role internally. It is not only a good idea to publish the role of a privacy officer internally and externally – it’s also good business sense. Employees, as well as customers and external stakeholders, will gain confidence in an organization when it knows the organization is serious about privacy. Part-time or Full-time? Depending on the size and business an organization is in, the role of a privacy officer may not provide sufficient work to warrant a full-time position. Smaller organizations usually make the role of a privacy officer secondary to an employee’s primary role. Larger organizations, especially those that manage much personal information, will usually have a fulltime privacy officer or choose to blend this role with the executive Chief Information Officer, human resources, or a corporate lawyer. Develop Procedures The privacy officer must develop procedures to protect personal information and effectively receive and respond to complaints and inquiries with respect to the way it manages personal information. The privacy officer should also develop materials to train staff and communicate this information internally and externally. This therefore requires that the privacy officer have an intimate understanding of the business the organization is in and exactly how it manages personal information across the entire organization. Third Party Protection Another requirement under this principle is that the privacy officer is not only responsible for the management of personal information under the organization’s control, but also the personal information it transfers to a third party for processing. When creating contracts with third parties, an organization ensure that a clause is included that states that the third party will provide a comparable level of privacy protection.

For example. or discloses personal information. an organization cannot use that personal information for another purpose without consent.The organization may also choose to perform audits on third parties to ensure that their policies and procedures are adequate. This also helps organizations comply with the Openness and Individual Access principles. Remember. 2. 2. if an organization offers application forms which require personal information. those application forms should clearly describe the purposes for which personal information is being collected. An organization also can not refuse to provide a product or service to an individual if that individual refuses to provide personal information that is not required or related to the product or service (e. those employees should be able to clearly explain why personal information is required when they ask for its collection. and Retention. Disclosure. The principle of Identifying Purposes is also closely linked to the principles of Limiting Collection and Limiting Use. When Collecting Personal Information If an organization uses its employees to collect personal information such as asking customers for their addresses or phone numbers when they purchase products or services. New Purposes for Personal Information If personal information is collected and an organization finds a new purpose for it. If so. an organization is not ―off the hook‖ once it transfers information to a third party. drivers licenses for product returns). uses. Compliance with Other Principles Abiding by this principle also helps an organization comply with the fourth principle of Limiting Collection and prevents it from collecting information that is not required for its intended purposes. Consent The principle of Consent states that the knowledge and consent of individuals are required when an organization collects.Dentifying Purposes The principle of Identifying Purposes states that an organization must clearly identify the purposes for which personal information is collected. and it must be in such a way that the individual clearly understands. either before or at time of collection. . unless the new purpose is required by law.g. it should be ensured that details of the audit procedure are worked into the contract. If an organization collects personal information on application forms. It must be clear and concise. The second principle of the 10 Privacy Principles of PIPEDA is Identifying Purposes. it may not use ambiguous wording to trick individuals into giving their consent for purposes they cannot reasonably understand.

Consent may also be given by an individual’s authorized repres entative. lawyer. Disclosure. Limiting Collection The principle of Limiting Collection states that the personal information an organization collects should only be limited to that which is necessary for the purposes identified. 5. trickery. If information is being collected for the purpose of the prevention of fraud or for law enforcement. Compliance with Other Principles The principle of Consent is closely linked with other principles. These include explicit. This works in tandem with the Openness principle. Consent may be provided verbally. an organization shall identify the purposes for doing so. or ambiguity to construe the purposes for which personal information is used. such as a legal guardian. or security reasons. every time an organization asks an individual for consent to provide personal information. or mentally incapacitated. seriously ill. medical. Withdrawing Consent Individuals can withdraw consent at any time. if the individual is a minor. For example. such as for legal. subject to any legal or contractual restrictions and reasonable notice. and Retention . or through an application form. Fair and Lawful Means An organization must collect personal information by fair and lawful means. it may not be appropriate or possible to seek consent. it may not be required. or through the power of attorney. obtain proper consent. Limiting Use. on the phone. in writing. and opt-out consent. The organization must notify the individual about the implications of withdrawing consent. it should also identify the purposes for which it is being collected 4. Different Types of Consent There are different types of consent that an organization may obtain. and do so in such a way that is clear and straight-forward.Exceptions to the Principle Consent is not required when it is impossible or impractical to seek it. An organization may not use deception. implicit. Information Handling Policies and Procedures An organization’s privacy officer or person(s) responsible for privacy compliance should create information handling policies and procedures and specify what type of personal information is collected. or inferred from an individual’s actions. Also. Whether collecting personal information in-person.

If an organization requires ongoing use of personal information. The organization should only retain personal information for as long as is necessary to fulfill its purposes. Personal Information is a Liability . erased. such as providing personal information to authorities for investigating fraud. or made anonymous. it should increase the minimum retention period. and Retention states that an organization shall limit the ways it uses. A recommended minimum retention period for an organization is at least one year. satisfy any legal or contractual requirements. In addition. it must obtain consent from those affected individuals. The maximum retention period will need to be determined by the organization. an organization should destroy. an organization may have legal obligations to comply with. Minimum and Maximum Retention Periods An organization should implement a minimum and maximum retention period for personal information. Develop Guidelines and Implement Procedures An organization must develop guidelines and implement procedures for the retention of personal information and should only retain personal information for as long as it is required to fulfill its intended purposes. Exceptions There are some exceptions to this principle. discloses and retains personal information. Refer to PIPEDA for specific exceptions. This means that an organization should not use or disclose personal information for purposes other than those which it has identified purposes for and received consent for. Destroying Personal Information After the maximum retention period. Some organizations such as Facebook have been frowned upon for having no definable maximum retention period. erase. The organization should also allow a reasonable amount of time for an individual to request his/her personal information before it is destroyed. The organization’s privacy officer shou ld develop guidelines and implement procedures to support the procedure.The principle of Limiting Use. It should allow the organization sufficient time to use the personal information. and allow time for the individual to exercise his or her rights to request personal information under PIPEDA. New Purposes for Personal Information If an organization wants to use personal information for a purpose that it did not originally collect it for. Disclosure. the organization should document the new use of personal information in order to be complaint with the principles of Openness and Individual Access. For example. or otherwise make anonymous the personal information it has collected.

Data Mining Organizations that collect personal information from their customers and clients often see data mining as a valuable tool to discover relationships and patterns in data that may give their business a competitive edge. and Retention is closely linked with other principles such as Consent. For example. it is rather a large. organizations can reap the benefits of using their data to find important patterns while satisfying their requirements under privacy legislation. For example. unnecessary liability that grows the longer it is held. and up-to-date for the purposes for which it is being used.While many organizations see personal information as an asset. it should ensure that it makes a serious effort to ensure its accuracy. if customers or clients provide their contact information to subscribe to a company’s newsletter. and Retention. Accuracy The principle of Accuracy states that an organization should ensure that the personal information it collects should be accurate. the more it has to lose. The seventh principle of the 10 Privacy Principles of PIPEDA is Safeguards. the more personal information an organization collects. Updating Personal Information An organization shall not routinely update personal information unless it was collected for a purpose that requires its continual use. Nothing can destroy a company’s image and business quicker than suffering a privacy breach and losing customers’ and clients’ sensitive personal information. Identifying Purposes. The sixth principle of the 10 Privacy Principles of PIPEDA is Accuracy. This also includes information that is disclosed to third parties. This way. an organization should make information anonymous before accumulating and using it for statistical analysis. Disclosure. Not making reasonable strides to ensure the collection of accurate personal information means that an individual’s employmen t could be at stake. and Individual Access. How Accurate? An organization should ensure that personal information is accurate. Compliance with Other Principles The principle of Limiting Use. it would be reasonable to ensure that personal information is routinely updated so that the organization can continue to provide subscriptions. if an organization collects personal information to conduct pre-employment screening. Disclosure. taking into consideration what the personal information is being used for and also taking into consideration the best interests of the individuals. 6. In order to be compliant with the principle of Limiting Use. complete. No system is completely secure. .

it would be difficult to decrypt and retrieve the email addresses. safes. electronic. When printing or receiving faxes. disclosure. Technological Measures . It is always good business sense to enact safeguards that provide better-than-average protection for the personal information it protects — after all. the last thing an organization wants is to suffer a privacy breach. etc). Information should be limited to a need-to-know basis. for example. It then may be reasonable to password protect the spreadsheet and/or encrypt it so that if the spreadsheet were stolen. Sensitive and confidential personal information should not visible to the public. Employees should have their desks clear and free of any papers containing sensitive personal information or confidential company information. If an organization were to collect more sensitive personal information. Some office printers allow employees to print papers once they approach the printer and key in their personal code. she might store the emails in a spreadsheet. doors. Cabinets. such as credit card numbers. Safeguards The principle of Safeguards states that an organization should protect personal information with security safeguards that are appropriate for the sensitivity of personal information held. Personal information should be protected against loss or theft. copying. unauthorized access. They should be restrict access whenever possible. Physical Methods An organization should use physical methods to protect personal information whenever possible. regardless of what format it is stored in (paper. Similar rules apply for a clear screen policy. Methods of Protection Organizations should use physical. organizational. and offices should be locked when they are not in use. documents should be retrieved immediately. The organization should determine how sensitive personal information is and implement safeguards to protect it. Organizational Measures Many organizations give employees RFID tags which open doors according to a security access level. use or modification. What type of Safeguards Should a Business Use? If someone owns a small business and collect customers’ email addresses for an online new sletter. Some organizations wisely choose to pre-screen their employees for criminal records and bad credit histories before giving them access to sensitive information. and technological methods to protect personal information.7. the organization would be expected to have much stronger safeguards in place to protect that information. Employees should lock this information in a private filing cabinet. An organization should implement and enforce a clear desk policy.

The information should be provided in plain. It should not provide barriers to access — if an individual is making a request to know about your organization’s information handling practices. The eight principle of the 10 Privacy Principles of PIPEDA is Openness. Openness The principle of Openness states that an organization shall make its policies and procedures about how it manages personal information readily available. of the person who is accountable for the organization’s policies and practices and to whom complaints or inquiries can be forwarded” This should be the contact information of the organization’s privacy officer or person(s) responsible for privacy compliance. especially when dealing with sensitive personal information such as credit card numbers. the request should be done without an unreasonable effort. Training Employees An organization’s privacy officer should ensure that all employees are aware of the importance of maintaining the confidentiality of personal information. it should be available in a form that’s generally understandable. It should also implement encryption whenever possible. When providing the information. such as Identifying Purposes. including a general account of its use” This is in harmony with a few other principles. Encryption should be considered at all stages of transit.An organization should enforce strong passwords and have employees change them on a scheduled basis. and through documentation. simple English that someone without a university degree can understand — save legalese for your lawyers and contracts. “a description of the type of personal information held by the organization. Requirements from PIPEDA PIPEDA specifically states that an organization shall make the following available: “the name or title. News headlines are increasingly reporting businesses who foolishly dispose of sensitive personal information. 8. and the address. This can be done initially upon training. . by having routine ―refresher‖ sessions. Destroying Personal Information Organizations should exercise great care when disposing or destructing personal information. “the means of gaining access to personal information held by the organization” The organization should let individuals know how they can gain access to view or retrieve their personal information. often by throwing un-shredded papers into the trash which then become public property.

or adding personal information. For example. an organization should verify that it is communicating with the correct individual. and disclosure of personal information and give access to it. The organization should also provide the individual information about their complaint procedures or how to contact the Privacy Commissioner of Canada if the individual wishes to file a complaint about the denied access request.. Where appropriate. an organization can offer brochures and have these available within a reception area. “what personal information is made available to related organizations (e. etc). a request may be denied if information is solicitor-client privileged or if by granting access it would reveal confidential commercial information. As mentioned earlier. For example. send it through an email newsletter. an organization shall make known to the individual the existence. The organization can also mail the information to customers. 9. If an organization or public body denies access to personal information. there are different methods of providing publications on how an organization handles personal information. use. This can involve correcting.“a copy of any brochures or other information that explain the organization’s policies. deleting. subsidiaries). Requesting Identification Before providing access to or amending personal information. The organization should ideally have the information available in different formats for different audiences. it must notify the individual of the reason for doing so and it must be a legitimate reason allowable by privacy legislation. standards. Individual Access The principle of Individual Access states that upon an individual’s request. Exceptions An organization may deny access to some personal information for a number of reasons. one of the the most effective ways of doing this is by putting policies and procedures online. It is a best practice to have this available in multiple formats (hard-copy brochures. either on a website or via a downloadable PDF file. . or codes” An organization can easily have this done by putting information on its website. your organization should transfer the amended information to third parties. or provide a toll-free number for individuals who are curious. If an individual challenges the accuracy or completeness of his or her personal information. The ninth principle of the 10 Privacy Principles of PIPEDA is Individual Access.” Different Ways to Publicize Depending on the nature of business an organization operates in. the organization shall amend the information where appropriate.g.

Challenging Compliance The principle of Challenging Compliance states that individuals shall be able to challenge an organization’s compliance on any of the privacy principles of PIPEDA. but also notify individuals who make inquiries or complaints about its existence. Reasonable Time and Costs An organization should respond to access requests in a reasonable amount of time and at a minimal or no cost to the individual. provide the reason for doing so. If it is difficult to know which third parties personal information may have been disclosed to. then the organization should mention all third parties to which the information may have been disclosed to. Once the individual has been identified. The procedures should be simple and easy to use. it must send a notice of extension to the individual. Others may ask an individual on the phone to verify his or her account information by providing information such as a maiden name or password before proceeding. The existence of the unresolved case should then be transmitted to third parties wherever appropriate. Making Information Accessible If an organization uses abbreviations or codes. the organization should record details of the case. An organization should only collect this information for identification purposes.Some organizations choose to do this by asking for government-issued identification. Challenging Compliance If a case is not resolved to an individual’s satisfaction. If an organization legitimately requires more time to fulfill a request. An organization must not only have them in place. An organization shall reply in no longer than 30 days from receipt of the request. An organization should also not seek to use stringent identification requests as a barrier to access. the organization should not continue to hold that information. Investigating Complaints . The tenth principle of the 10 Privacy Principles of PIPEDA is Challenging Compliance. 10. the organization shall let the individual know. and notify the individual of his or her right to make a complaint with the Privacy Commissioner of Canada. Third Party Disclosure If an individual desires to know which third parties his or her personal information has been disclosed to. it should provide an explanation of what they mean to an individual. This means that an organization must have procedures in place to receive and respond to complaints and inquiries. as it has already fulfilled its purpose.

it should investigate it — not ignore it. The organization’s privacy officer (or person responsible for privacy compliance) is responsible for accepting and investigating inquiries and complaints. This may involve amending the organization’s practices and policies. the organization should take appropriate measures to remedy it. If the complaint is justified. .If an organization receives a complaint.