Canada has two federal Privacy laws:
- The Privacy Act 1983, applies to the federal government’s handling of personal information.
- The Personal Information Protection and Electronic Documents Act 2000 (PIPEDA), applies to how businesses handle personal information.
PIPEDA sets out clear rules to follow for private sector businesses in Canada that handle personal information. Any company that has information crossing provincial or national borders is subject to PIPEDA, regardless of which province or territory they are based in. ¹
PIPEDA does not give a geographical limit, however, the Federal Court of Canada has ruled that ‘PIPEDA does apply to businesses found in other jurisdictions if there is a substantial connection between an organisation’s activities and Canada’. ² Therefore, Canada’s data privacy law will have a direct impact on US and international companies that have Canadian customers.
Companies must follow the 10 fair information principles to protect personal information, which are set out in Schedule 1 of PIPEDA. These are:
An organization is responsible for personal information under its control. It must appoint someone to be accountable for its compliance with these fair information principles.
The purposes for which the personal information is being collected must be identified by the organization before or at the time of collection.
The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
The collection of personal information must be limited to that which is needed for the purposes identified by the organization. Information must be collected by fair and lawful means.
Unless the individual consents otherwise or it is required by law, personal information can only be used or disclosed for the purposes for which it was collected. Personal information must only be kept as long as required to serve those purposes.
Personal information must be as accurate, complete, and up-to-date as possible in order to properly satisfy the purposes for which it is to be used.
Personal information must be protected by appropriate security relative to the sensitivity of the information.
An organization must make detailed information about its policies and practices relating to the management of personal information publicly and readily available.
Upon request, an individual must be informed of the existence, use, and disclosure of their personal information and be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
An individual shall be able to challenge an organization’s compliance with the above principles. Their challenge should be addressed to the person accountable for the organization’s compliance with PIPEDA, usually their Chief Privacy Officer. ᵌ
Organisations who come under PIPEDA and who are using information in the course of commercial activity must generally obtain an individual’s consent when they collect, use or disclose that individual’s personal information. Under PIPEDA people have the right to access their personal information held by any organisation. They also have the right to challenge its accuracy.
Personal information can only be used for the purposes for which it was collected by a company. If an organisation is going to use the information for another purpose, they must obtain consent again. Personal information must be protected by appropriate safeguards. ⁴
Any organisations subject to PIPEDA who become aware of any breaches of their security that could result in personal information being leaked must notify the Privacy Commissioner of Canada. Companies must also inform any individual whose information is involved in these breaches. Records of all security breaches must be kept for two years.
Provincial Privacy laws
Each Province has either fully adopted the federal PIPEDA or have developed their own Privacy law deemed ‘substantially similar’ by the Office of the Privacy Commissioner of Canada. Some provinces adhere to PIPEDA overall, but their Health Privacy laws have been deemed substantially similar to federal PIPEDA so stand alone. (See bottom of article for Privacy laws and links to policies).
Trust and Compliance
It is important that companies and individuals feel confident sharing their data with other businesses. Businesses need to demonstrate that they are following the laws as they are set out and are PIPEDA compliant.
One area that requires people to share a lot of personal information is lone worker systems. As the system needs a worker’s name, phone number and location in case of an emergency, companies need to know their data is being stored securely.
Ok Alone uses personal data in line with the 10 fair information principles to protect personal information, which are set out in Schedule 1 of PIPEDA.
Every person whose data Ok Alone uses has the right to request deletion, updating, correction, or the full record of their data. To enable this, each Admin Monitor can add, edit, update and delete Worker’s personal information in the system. In the event that there is a particular element of data the Monitor cannot edit, update or delete, they can also email [email protected] to request data is removed from the systems.
Ok Alone takes data privacy very seriously, making sure internal access to customer’s personal data is on a need to know basis. All users with access to personal data have individual logins and standard industry security practices are maintained.
Ok Alone customers also have a great deal of control over which people internally see personal data. There are three levels of user access rights for the Monitors, each of which grants different access to personal data. Workers do not have access to personal data. All interaction between Workers and the system occurs through an encrypted connection with the app. Combined, this ensures people’s data stays private.
Storage and Security
The servers used by Ok Alone are located in Canada and are subject to PIPEDA. This ensures all data received from customers is kept securely. Ok Alone does not share any data or information with other companies. Ok Alone encrypts their data and uses firewall protection to make sure all information on record is secure.
Provincial Privacy laws
Alberta – Personal Information Protection Act
British Columbia – Personal Information Protection Act
Northwest territories – The Personal Information Protection and Electronic Documents Act (PIPEDA)
Prince Edward Island – The Personal Information Protection and Electronic Documents Act (PIPEDA)
4 – https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda_brief/