PIPEDA Canada Is Not What You Think. Understand It the Easiest Way by Busting Top PIPEDA Myths

4 years ago

The best thing about the law is it governs the industry or the entire nation.

And the worst with the law is that only a few can understand its obligations and responsibilities.

Things get more complicated when there are multiple laws - some at the federal level and some at the state-level - governing the same industry.

Canada is going through a similar challenge.

It has a privacy law at the federal level known as PIPEDA. PIPEDA stands for the Personal Information Protection and Electronic Documents Act).

There are many other laws at the provincial level.

Additionally, the official PIPEDA guide published by the government has many complex terminologies that not all people can understand easily.

As a result, they find a totally different meaning of the obligations and responsibilities.

And this is how the PIPEDA myths are born.

Today, we will reveal the top myths and bust them all.

Top 10 PIPEDA Canada Myths Busted

Myth
Reality
PIPEDA is a separate law and there is no similarity between PIPEDA and other provincial laws?PIPEDA and every other provincial privacy law share the same purpose - to govern the collection, usage and disclosure of data in the private sector. In fact, regulators have considered PIPEDA as a foundation while drafting provincial laws. This means if you become a complaint with PIPEDA, you become compliant with many other privacy laws to some extent.
PIPEDA does apply to all organizations in Canada.PIPEDA applies to organizations that collect, use and share the personal data of users only during commercial activity.
There is no difference between PIPEDA and PHIPA.There is a huge difference between PIPEDA and PHIPA. Unlike PIPEDA, PHIPA does apply to only healthcare organizations that collect, use, and disclose personal health information whether or not during commercial activities.
PIPEDA does apply in all Canadian provinces.PIPEDA is the private sector privacy law. In provinces that have their own private sector privacy laws such as Ontario, Alberta and British Columbia, PIPEDA does not apply.
Personal information does not include information of physical description.PIPEDA considers physical descriptions such as height, skin tone, weight as personal data.
PIPEDA applies to all organizations in the same way.PIPEDA does not apply to all in the same way. It largely depends on your commercial activities and business type. For instance, “If your organization operates in a province with substantially similar provincial legislation (B.C., Alberta and Quebec) and has to follow that law, PIPEDA only applies to interprovincial and international transactions.” and “If your organization operates in a province not subject to substantially similar provincial legislation and your organization is not an FWUB, PIPEDA applies to all commercial activities; however, it does not apply to employee information in your organization.”
PIPEDA only governs business activities in Canada.All commercial trans-border personal information flows are covered by PIPEDA. Examples of some trans-border personal information flows are, selling mailing lists to one state from another, sending customer data to another country for a loyalty program.
If PIPEDA applies to my organization, no other privacy laws apply to my organization.There are possibilities that more than one privacy law can apply to your organization. It could happen if you are on contract with another organization that had to follow a different privacy law.
I don’t have to take any action in case of a data breach.The data breach is serious trouble. You need to take a series of actions if such a misshape occurs. These actions include, you need to report the breach to the privacy commissioner of Canada, you need to notify all individuals, organizations and government institutions whose data has been neutralized, and lastly, you need to keep the record of the breach.
I need to ask consent before every time I use or share the users’ data.You don’t need to always ask consent. There are a few exceptions. For instance, if the disclosure is required to warrant, a court order. If the collection and use with consent would compromise the accuracy of the information.

Having PIPEDA myths and running a business at the same time is a deadly combination. Hire a PIPEDA consultant now.

PIPEDA is scary because of its complexity, difficult terminologies, number of regulations, and most importantly the violation fee.

No manner, how hard you try to be compliant with PIPEDA, you end up not meeting a requirement of the PIPEDA.

And this guarantees you a visit to the Privacy Commissioner of Canada.

A PIPEDA consultant plays a crucial role. In case you’re wondering about his roles, here are a few of them,

  • Execute security standard audit, asset & device audit, and security risk assessment
  • Discover the app/software security gaps
  • Discover the workable solutions to fill security gaps
  • Assist the development team to implement those workable solutions
  • Draft and implement an organization-wide security policy
  • Execute compliance audits

The end result would be peace of mind!

On a concluding note, we would like to share a case study that talks about how we helped a development firm to fill 47 security gaps in its mobile app to be HIPAA compliant.