“Personal Information” Under PIPEDA
PIPEDA is a federal privacy law in Canada that applies to organizations that collect, use, and disclose personal information in the course of commercial activities. The Act sets out the rules for how organizations must handle personal information in a fair and responsible manner.
What is “Personal Information”
Under PIPEDA, "personal information" is defined as any information about an identifiable individual. This includes information that can be used on its own, or in combination with other information, to identify a person. Personal information can be factual (such as a person's name, age, or address) or it can be an opinion (such as a person's evaluation of a product or service).
Personal Information Exclusions
There are several categories of information that are specifically excluded from the definition of personal information under PIPEDA. These include:
- Business contact information (such as an individual's business title, business address, or business telephone number) when it is used solely for the purpose of communicating with the individual in relation to their business, profession, or employment.
- Publicly available information, such as information can be found in a public directory or on a public website.
- Information that is de-identified or aggregated so that it cannot be used to identify an individual.
PIPEDA Compliance Requirements
PIPEDA requires organizations to be transparent about their collection, use, and disclosure of personal information. This means that organizations must inform individuals about why they are collecting their personal information, how it will be used, and who it will be shared with.
Organizations must also obtain the consent of individuals before collecting, using, or disclosing their personal information unless the collection is required by law or is necessary for the organization to provide a product or service.
Organizations are also required to protect the personal information they collect from unauthorized access, disclosure, or misuse. This means that they must have appropriate safeguards in place to prevent unauthorized access to personal information, such as secure servers, firewalls, and encryption.
There are some exceptions to the rules set out in PIPEDA. For example, organizations are not required to obtain consent for the collection, use, or disclosure of personal information if it is necessary for the organization to investigate a breach of an agreement or a contravention of the law. Additionally, personal information can be disclosed without consent in certain circumstances, such as when it is necessary to protect an individual's life, health, or security, or when it is required by law.
Individual’s Rights Under PIPEDA
PIPEDA also gives individuals the right to access their personal information and request that it be corrected if it is inaccurate. Individuals can make a request to access their personal information by contacting the organization that holds it. The organization must respond to the request within 30 days and provide the requested information unless there is a legal reason for not doing so.
In summary, personal information under PIPEDA is any information about an identifiable individual that is collected, used, or disclosed by an organization in the course of commercial activities. Organizations must be transparent about their collection, use, and disclosure of personal information and must obtain the consent of individuals before collecting, using, or disclosing it unless there is a legal exception. PIPEDA also requires organizations to protect the personal information they collect and gives individuals the right to access and request correction of their personal information.