Cybersecurity, Privacy and Data Protection II
In this series of blogs, we will share the principles of privacy from one of the chapters, Cybersecurity, Privacy and Data Protection of our publications: Cross Border Retailers Guide To Doing Business in Canada 2021.
The Personal Information Protection and Electronic Documents Act (PIPEDA) includes 10 principles that establish obligations for organizations and more broadly drive interpretation of privacy law and policy in Canada.
Brands operating or selling products in Canada should consider their business activities and privacy procedures from the perspective of these 10 principles:
- Accountability: Brands are responsible for personal information under their custody or control. In certain circumstances or jurisdictions, they are also responsible for the privacy compliance of a business with which they share personal information. An important consequence of accountability is that organizations remain responsible for personal information in their control, even when their service providers process it.
- Identifying Purposes: Brands must explain to customers why they are collecting their personal information and how they will use it or disclose it to other organizations (unless the purpose of collection, use or disclosure would be obvious to a “reasonable” person and the customer voluntarily provides the information for that purpose). Brands cannot collect personal information for one purpose and then use it for another without obtaining new consent for the secondary use (unless an exception applies). For instance, brands cannot tell customers they are collecting personal information to “track purchases” and then use it to market products to them.
- Consent: Consent should be obtained before or during the collection. Brands should be aware that they cannot require a customer to provide personal information as a condition of sale, unless it is essential to conduct the sale.
- Limiting Collection: The collection of personal information is limited to what is necessary for the identified purposes and must be collected by fair and lawful means. This means brands may only collect the personal information needed to complete the purchase. For instance, if a customer joins a loyalty program, providing their demographic information should be optional.
- Limiting Use, Disclosure and Retention: Personal information must be used and disclosed only for the purpose(s) intended, except where consent of the individual is obtained or as required by law. This may pose a challenge for brands who engage in data analytics or use artificial intelligence applications, where large data sets collected over time are important to the generation of accurate insights.
- Accuracy: Brands must make a reasonable effort to ensure that a customer’s personal information is accurate and complete.
- Security Safeguards: Brands must protect all personal information in their custody or under their control by making reasonable security arrangements to prevent unauthorized access, collection, use, copying, modification or disposal or similar risks. The nature of the safeguards will vary depending on the sensitivity of the information, the amount, distribution, and format of the information, and the method of storage. Sensitive information needs a higher level of protection.
- Individual Access: If a customer requests, brands must provide him or her with information about the existence, use, and disclosure of his or her personal information and must provide access to that information (with certain narrow exceptions). An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
- Challenging Compliance: Brands must have procedures in place to receive and respond to complaints or inquiries about their policies and practices regarding the handling of personal information.