Learn About PIPEDA
PIPEDA is a Canadian law relating to data privacy. It governs how private sector organizations collect, use and disclose personal information in the course of commercial business.
Frequently Asked Questions
What does PIPEDA stand for?
PIPEDA stands for The Personal Information Protection and Electronic Documents Act.
Why is PIPEDA important?
Part of the reason that PIPEDA is important is that organizations covered under it must obtain consent from individuals when they collect, use, or disclose that data.
This means that information collected from clients can only be used for the purposes it was collected. If an organization wants to use that information again in a different way, they must again ask for consent.
What is personal information under PIPEDA?
According to PIPEDA, any personal information that is considered factual or subjective about an identifiable individual should be protected. This includes information in many different forms, such as:
- Identification numbers (i.e., provincial health card number, SIN number, etc.)
- Ethnic heritage
- Blood type
- Opinions or comments
- Social status
- Disciplinary actions
- Employee files
- Previous merchant disputes
- Credit history
- Loan records
What are the differences between PIPEDA and PHIPA?
PIPEDA is a federal regulation for protecting personal information.
PHIPA (Personal Health Information Protection Act) is a provincial regulation for protecting personal information, specifically as it relates to clients in Ontario.
The biggest key difference between these two regulations is that PIPEDA applies to personal information in a broader spectrum, while PHIPA focuses on protections for personal health information.
Because the federal government has concluded that PHIPA and PIPEDA principle guidelines are very similar in some ways, companies that are PHIPA compliant may be exempt from certain parts of PIPEDA.
Who must comply with PIPEDA?
It is a requirement in Canada that all federally-related organizations remain PIPEDA compliant, or be subject to an equivalent provincial law. This could include businesses, such as:
- Telecommunication companies
- Banks (domestic/authorized foreign) and other financial institutions
- Television and radio broadcasters
- Airlines, airports, and aircrafts
- Offshore drilling operations
It’s important to note that these applicable businesses must also offer the same protections for their employees’ personal information, as they do for their clients.
Who is exempt from PIPEDA?
There are certain provinces in Canada that have their own privacy laws (i.e., British Columbia, Alberta, Quebec). This generally means they are exempt from PIPEDA, because they are already subject to another provincial privacy law that’s considered equivalent.
Other provincial regulations
Since healthcare in Canada is provided at the provincial level, each province has their own health data privacy requirements.
- Alberta: HIA
- Ontario: PHIPA
- Manitoba: PHIA
- New Brunswick: PHIPAA
- Newfoundland and Labrador: PHIA
- Prince Edward Island: HIA
- Quebec: QHR
- Saskatchewan: HIPA
- British Columbia: FIPPA
- Nova Scotia: PHIA
Due to the fact that Ontario is the most densely populated province in the country, this is the provincial regulation that we hear about most often, but similar regulations exist for other provinces across the country.
How can MedStack help with PIPEDA compliance?
Some provinces have a requirement that health data must remain in Canada. MedStack can assist with this by ensuring the data of companies under this regulation are only housed in a Canadian data center.
Learn how our platform can help you become PIPEDA compliant
We are the only platform that brings together compliance, security assessment responses, threat protection, and audit readiness into a complete offering, ensuring your application runs and manages data in the cloud with the highest privacy and security standards in mind.