The Personal Information Protection and Electronic Documents Act (PIPEDA) lays down the foundation for collecting, using, and disclosing personal information while granting individuals the power to control how their information is handled in the private sector. PIPEDA’s ten fair information principles serve as a guiding framework for organizations to comply with the law and ensure the safety of personal information. In addition to these principles, PIPEDA mandates that personal information must only be collected, used, or disclosed for appropriate purposes that a reasonable person would consider appropriate in the circumstances. The Office of the Privacy Commissioner (OPC) has identified certain purposes that would generally be considered inappropriate, referred to as “no-go zones.” These include unlawful collection, use or disclosure of personal information, unfair profiling or categorization, collection of information for purposes that could cause significant harm, publishing personal information with the intent of charging for its removal, requiring social media passwords for employee screening, and conducting surveillance without consent. The ten fair information principles describe organizations’ responsibilities for ensuring the safety and protection of personal information.
Principle 1 emphasizes accountability, requiring organizations to appoint someone responsible for complying with fair information principles.
Principle 2 mandates that organizations identify the purpose of collecting personal information before or at the time of collection.
Principle 3 requires organizations to obtain consent from individuals before collecting, using, or disclosing personal information, except when inappropriate.
Principle 4 stipulates that organizations should limit the collection of personal information to what is necessary for the purpose identified.
Principle 5 restricts the use and disclosure of personal information to the purposes for which it was collected, and mandates organizations to keep it for only as long as required.
Principle 6 emphasizes the accuracy, completeness, and timeliness of personal information.
Principle 7 highlights the importance of safeguarding personal information with appropriate security measures.
Principle 8 requires organizations to be transparent about their policies and practices regarding personal information management, making them readily available to the public.
Principle 9 grants individuals access to their personal information and the right to challenge its accuracy and completeness.
Finally, Principle 10 allows individuals to challenge organizations’ compliance with fair information principles by addressing their concerns to the Chief Privacy Officer. In summary, adhering to PIPEDA’s fair information principles ensures that organizations collect, use, and disclose personal information responsibly, providing individuals with greater control over their information.