The Personal Information Protection and Electronic Documents Act ( PIPEDA ) PIPEDA sets the ground rules for how private-sector organizations collect, use, and disclose personal information in the course of for-profit, commercial activities across Canada.

PIPEDA (Personal Information Protection and Electronic Documents Act) was enacted in 2000 as a law governing how businesses collect, use, and disclose personal information. 

PIPEDA’s Main Features:

PIPEDA requires all companies that collect or use personal information to:

  • Obtain consent for collecting, using, and disclosing personal data - consent needs to be meaningful, which means people understand what they are consenting to. In addition, consent can only be required for information that is necessary to collect, and it can be withdrawn at any time.
  • Explain what collected personal information is used for - and make this information available and accessible, and user-friendly. 
  • Protect the personal data they collect - through a security policy and safeguards that are reviewed constantly to ensure they are up-to-date.
  • Serve individuals even if they refuse to give consent for collecting and using their personal data - you are required to provide service regardless of if consent is given and inform individuals of this.
  • Collect information fairly and lawfully and keep it up-to-date and accurate - keep data organized and establish policies for making sure it is up-to-date.
  • Ensure personal information policies are clear and available - let individuals know which information is collected, who it is shared with, why it is being collected, and the potential risks.
  • Appoint someone to ensure compliance with PIPEDA - assign someone in your organization and provide senior management support and authority.
  • Enable individuals to challenge the business’s compliance with PIPEDA - establish a complaint process and a process for investigating potential challenges made by individuals.