Understanding PIPEDA and privacy requirements
We’ve all heard about the controversy and consequences surrounding security breaches of personal information. Even as technology continues to advance, challenges remain concerning the collection and use of personal information. In 2015, Canada’s Digital Privacy Act received Royal Assent, and with it came an enhancement of the Personal Information Protection and Electronic Documents Act (PIPEDA).
As Canada’s private sector privacy law, PIPEDA establishes rules on how private sector organizations that are federally regulated may collect, use and/or disclose personal information. PIPEDA doesn’t apply in BC, Alberta and Quebec, (for organizations that are provincially regulated in those provinces) which have their own similar legislation, but even then PIPEDA governs the sharing of personal information across provincial, territorial or international borders.
According to the Office of the Privacy Commissioner of Canada, “organizations covered by the Act must obtain an individual’s consent when they collect, use or disclose the individual’s personal information. The individual has a right to access personal information held by an organization and to challenge its accuracy, if need be. Personal information can only be used for the purposes for which it was collected. If an organization is going to use it for another purpose, consent must be obtained again.”
What is personal information?
Personal information includes any information pertaining to an identifiable individual, such as:
- Age, name, ID numbers, income, ethnic origin or blood type
- Opinions, evaluations, comments, social status or disciplinary actions
- Employee files, credit records, loan records, medical records or existence of a dispute between a consumer and a merchant
What PIPEDA means to the financial services industry
There are specific rules to safeguard personal information that financial advisors collect from their clients. This information may only be collected with a client’s consent and used expressly for its disclosed purpose. The advisor must ensure the information is accurate, stored securely and accessible for both inspection and, if required, correction.
PIPEDA does not apply to the following:
- Any government institution to which the Privacy Act applies
- Someone who collects, uses or discloses personal information strictly for personal purposes
- Business contact information that an organization collects, uses or discloses solely to communicate with a person in relation to his or her employment, business or profession
- An organization that collects, uses or disclosed personal information for journalistic, artistic or literary purposes, and does not do so for any other purpose
Whether in the context of financial services or otherwise, every Canadian should be familiar with their rights and responsibilities regarding the collection and use of personal information.
The Canadian Investment Funds Course covers many relevant topics, including proper usage of personal information, for investors and for those who work (or want to work) in the financial services industry.