May 31, 2024 
In order to ensure healthcare organizations deal with sensitive patient information & meet compliance rules, the Canadian government has put in place the Personal Information Protection and Electronic Documents Act (PIPEDA).
Enacted in 2000, PIPEDA is responsible for regulating how private companies, including healthcare organizations, handle personal information. With this blog, our goal is to brief you on Canada’s PIPEDA compliance, its 10 key principles, & who needs to comply with it.
Additionally, we will also talk about Bill C-27, a new rule poised to take personal information protection to the next level.
What is PIPEDA – A Brief History
PIPEDA is a Canadian federal law that governs how private-sector organizations collect, use, and disclose personal information during commercial activities.
Here’s what you need to know about PIPEDA:
- Enacted in 2000, PIPEDA is enforced by the Office of the Privacy Commissioner of Canada. It has the power to investigate complaints and make recommendations.
- It was refined in 2015 to align with the evolving international privacy standards.
- It sets out 10 information principles that companies need to follow when handling personal information of consumers, like obtaining consent, keeping information accurate, and ensuring its security.
- PIPEDA is applicable to companies collecting, using, and/or disclosing personal information during the course of commercial activities across Canada (except in provinces with substantially similar privacy laws).
- The law empowers individuals with many rights over their personal information collected by organizations, like access and the ability to challenge compliance.
- When an organization fails to comply with PIPEDA, it can result in monetary penalties of up to $100,000 per violation.
Let us now look at the 10 major principles that PIPEDA runs on.
The 10 Major Principles of PIPEDA
1. Accountability
As per this principle, organizations are responsible for the personal information under their control. Additionally, they must designate individuals or teams accountable for PIPEDA compliance.
2. Identifying Purposes
They also need to clearly identify the purposes for which they will be collecting personal information at/before the time of collection of information. It helps facilitate transparency and makes individuals understand the reason behind the collection of their information.
3. Consent
According to this principle, individuals need to provide their consent for the collection, use, or disclosure of their personal information, except where inappropriate or as permitted by law. Moreover, individuals consenting to give their information must understand what they are consenting to.
4. Limiting Collection
Organizations should limit the amount and type of personal information collected to what is necessary for the purposes identified. Collecting only what is needed reduces the risk of unauthorized access or use.
5. Limiting Use, Disclosure, and Retention
Organizations can use or disclose personal information for the purposes for which it was collected, unless the individual consents or as required by law. They must also establish retention periods for the information collected and dispose it when it is no longer needed.
6. Accuracy
Organizations also must make efforts to ensure that personal information is complete, correct, and up-to-date, as per the purposes for which it is used.
7. Safeguards
Organizations are also required to safeguard personal information against theft, unauthorized access, loss, disclosure, use, duplication, or modification. They need to take appropriate security measures and put in place safeguards, like physical, technological, and organizational measures.
8. Openness
Organizations must be open and transparent about their policies and practices regarding the management of personal information. This also includes their privacy policies and procedures.
9. Individual Access
Individuals have the right to access their personal information collected and held by an organization. Individuals can also challenge its accuracy if necessary. Organizations also have to provide individuals with access to their information upon request.
10. Challenging Compliance
Individuals should be able to address concerns about an organization’s compliance with the PIPEDA principles. Organizations must have procedures in place to receive and respond to complaints and inquiries.
These principles collectively aim to ensure that organizations handling personal information in Canada do so responsibly, transparently, and in a manner that respects individuals’ privacy rights.
These are the key principles of PIPEDA. But who exactly needs to comply with this federal law?
Who Does PIPEDA Apply To
Before you start the complex task of PIPEDA compliance, it is prudent to ascertain whether the law is applicable to your organization.
PIPEDA distinctly outlines the entities that need to comply with it, and to understand if you need to do so, there are some certain inquiries you can pose to get assured about your compliance obligations.
- Does your organization operate in the private sector?
- Does your organization gather, utilize, and share personal data?
- Is this conducted as part of commercial or profit-driven operations in Canada?
If the answer to all these three questions is yes, then your organization needs to comply with the Canadian PIPEDA.
It is imperative to move with the changing times, and the Canadian government wants to do the same. With the goal of aligning with emerging new technologies, a new bill comprising updated laws and requirements is in draft to replace PIPEDA.
C27 Consumer Privacy Protection Act
To evolve with new technologies, like AI and ML, and the challenges that follow with them, Canada has introduced a new bill, called the Bill C-27, that might potentially replace the current data privacy law – PIPEDA.
This draft policy once signed into law will regulate the use, collection, as well as disclosure of personal information in the Great White North. This poised to clarify the regulations and exemptions to getting consumer consent & requires organizations to put in place a privacy management program.
Also known as the Digital Chartner Implementation Act, Bill C-27 will also bring some new privacy rights, in addition to mandates for the use of AI systems for businesses. Moreover, it will empower the Information Commissioner and the Tribunal with authority to audit businesses and impose fines on non-compliance, like failure to deploy a privacy management program.
The Canadian Bill C-27 includes three different laws:
The Consumer Privacy Protection Act (CPPA)
The Consumer Privacy Protection Act, which is a part of Bill C-27, is poised to revise & replace the current Canadian data privacy law – PIPEDA compliance.
The Personal Information and Data Protection Tribunal Act
This Act will ensure the establishment of the Personal Information and Data Protection Tribunal. It will more commonly be known as the Tribunal. The Act will empower the Tribunal to impose fines on organizations that are not meeting compliance with the CPPA’s requirements.
The Artificial Intelligence and Data Act (AI Act)
This Act will aim at introducing new limitations on the use of Artificial Intelligence systems, like deep learning-based & machine learning technologies.
How Does Bill C-27 Apply to Healthcare Organization’s Online Forms
The Canadian C-27 bill will also have its implications on healthcare companies and the forms they create and use for consumer data collection. The law will bring some new rules around personal health information and its privacy, requiring companies to obtain valid consent from consumers for collecting & using their information.
This included online forms as well. Healthcare companies will be required to be more transparent about the data practices they implement and provide clarity on data use.
The privacy standards & rules this bill will set will provide individuals with more control over their personal data. And this could affect the design and functionality of online forms created by healthcare organizations.
Privacy Law Evolution
PIPEDA established clear standards for protecting personal information that healthcare organizations must follow. The 10 fair information principles cover key areas like accountability, consent, limiting collection and use, ensuring accuracy, implementing safeguards, and giving individuals rights over their data.
As technology evolves, Canada is working to modernize its privacy laws through the proposed Consumer Privacy Protection Act (CPPA) under Bill C-27.The proposed Bill C-27 aims to modernize these rules with stricter consent, transparency and accountability requirements around data practices.
For healthcare providers, this will likely necessitate updates to online forms and processes to comply with enhanced privacy rights for patients’ personal health data. Staying compliant with evolving data privacy regulations is critical for building public trust while leveraging information responsibly.
Click here to get a demo session of PIPEDA-compliant MakeForms or to know more about us. Makeforms offer GDPR compliant forms as well.
Related: HIPAA Compliant Form Builder
FAQs
PIPEDA, or the Personal Information Protection and Electronic Documents Act, is a Canadian law governing how private-sector organizations handle personal information during commercial activities.
Yes, PIPEDA applies to healthcare organizations in Canada when they handle personal information in the course of commercial activities, unless they are in provinces with substantially similar laws.
Yes, PIPEDA may be replaced by Bill C-27, the Consumer Privacy Protection Act, which proposes updated regulations to address modern technologies and enhance data privacy protections.
