|PIPEDA (Personal Information Protection and Electronic Documents Act) requires that organizations covered by the Act adhere to its ten basic principles: (source: http://www.privcom.gc.ca/information/guide_e.asp)
- Accountability – an organization must clearly identify a person within that organization who is their in-house PIPEDA compliance officer. This individual will re responsible for ensuring that the organization in is continual compliance with all of the 10 principle areas of the Act.
- Identifying purposes – an organization must now state openly the reasons why personal information is being collected and be specific in identifying how this information will be used. That means that you can’t use information for other reasons than what you stated to the individual.
- Consent – an organization must obtain the consent of the individual to collect their personal information and to use them for the specific intended purposes or it cannot collect or use this information.
- Limiting collection – an organization must limit the amount and type of the information gathered to what is necessary for the identified purposes. As well, an organization must identify the kind of personal information it collects in its information-handling policies and practices and ensure that staff members can explain why the information is needed.
- Limiting use, disclosure, and retention – an organization must now have policies in place regarding the parameters of use for specific groupings of information and clearly identify an information lifecycle: 1) information – why it is collected 2) how it is used how it is stored 3) when its usage is defined as finished and 4) how this information is disposed of or destroyed.
- Accuracy – it is an organization’s responsibility to keep personal information as accurate, complete and up to date as necessary, taking into account its use and the interests of the individual.
- Safeguards – an organization must protect personal information against loss or theft, safeguard the information from unauthorized access, disclosure, copying, use or modification and implement policies and practices to protect personal information regardless of the format in which it is held.
- Openness – an organization must inform customers, clients and employees that it has policies and practices for the management of personal information and make these policies and practices understandable and easily available.
- Individual access – When requested, an organization must inform individuals if it has any personal information about them and explain how it is or has been used and provide a list of any organizations to which it has been disclosed, as well as give individuals access to their information.
- Challenging compliance – an organization must develop simple and easily accessible complaint procedures, inform complainants of avenues of recourse, investigate all complaints received and take appropriate measures to correct information handling practices and policies.
Your organization’s general responsibilities:
- Comply with all 10 of the above principles
- Appoint an individual (or individuals) to be responsible for your organization’s compliance.
- Protect all personal information held by your organization or transferred to a third party for processing.
- Develop and implement personal information policies and practices.