PIPEDA is broken down into 10 core principles. They reflect and evaluate how a business is required to handle personal information and to ensure that best practices are in place and used. Following is an overview of each of these principles as well as one guidance on how they relate to cloud service providers.
1. Accountability
An organization is required to accept responsibility for any and all personal information that is under its control. This is accomplished by designating a representation who is accountable and responsible for the organization’s compliance. The business is further required to use various means, including contractual, to ensure that it remains compliant with third parties. It also has a responsibility to uphold PIPEDA by developing and implementing relevant policies and procedures.
Organizations should include contractual obligations that uphold PIPEDA including reporting procedures, security policies, non-disclosure, and limitations.
2. Identifying Purposes
An organization is responsible for identifying and documenting their purpose for collecting personal information. They are required to notify their customers, clients, users, visitors, and guests if they intend to use the information for any purpose that was not identified at the time of collection prior to using that information.
Organizations should share the organization’s outlook on policies and procedures, particularly as it related to the purpose of collecting personal data.
Businesses should evaluate their requirements to handle personal information and to ensure that best practices are in place and used.
3. Consent
An organization is responsible for obtaining the informed consent of individuals when it is engaged in the practice of collection of personal information or data, except where such knowledge and consent is inappropriate.
Organizations should share the organization’s policies and outlook regarding how sensitive data is handled.
4. Limiting Collection
An organization is responsible for limiting the collection of personal information to only what is necessary for purposes identified by the organization. All collection methods should be fair and compliant with all applicable laws.
Organizations should follow the best practices for securing storing personal information on the behalf of the business.
5. Limiting Use, Disclosure, and Retention
An organization is responsible for never using or disclosing personal information for any purpose other than that for which it was collected. They are to retain any personal information collected for only as long as is necessary to fulfill the intent or purpose of the collection.
Organizations should follow best practices for securely handling the destruction or disposal of data that is no longer needed and storage is no longer required. They should also have policies in place regarding third party disclosure.
6. Accuracy
An organization is responsible for ensuring that all information is accurate, complete, and up to date. It should be only what is necessary or required for the purpose or intent of use.
Organizations should share the organization’s principles on the accuracy of data that is collected.
7. Safeguards
An organization is responsible for protecting personal information by ensuring that reliable security safeguards that are appropriate for the level of the information’s sensitivity are in place.
Organizations should have policies in place for safeguarding the data that it is hosting for the organization. Organizations should have access to all security policies regarding how their cloud service provider protects the collected data from loss and theft as well as unauthorized access, copying, modification, disclosure, and use.
8. Openness
An organization is responsible for complete transparency regarding its policies and management of collected personal information. The policies should be very detailed in explaining how it manages personal information and these policies should be readily available for both employees and clients.
Organizations should be transparent regarding their data management policies. They should be able to provide a copy of these policies to their clients upon request.
9. Individual Access
An organization is responsible for providing, upon written request, the existence, use, and disclosure of an individual’s personal information. They must also give those individuals access to the information that has been collected and they must be given the opportunity or option to challenge the accuracy of it and have it amended appropriately.
Organizations should have policies in place that are in line with the organization’s policies regarding access to information.
10. Challenging Compliance
An organization is responsible for providing a platform for individuals to address challenges PIPEDA compliance with the core principles. The designated individual or team that handle’s an organization’s compliance will be the point of contact for individuals who are challenging the compliance issues.
Organizations should have the appropriate policies and procedures to ensure that there are no complaints filed or received regarding the way that an organization’s data is handled.