In effect since January 1, 2001.
PIPEDA applies to organizations that collect, use or disclose personal information in commercial activities in all provinces and territories except those with their own substantially similar private sector privacy legislation.
Key provisions of PIPEDA:
- Consent: Organizations must obtain an individual's consent before collecting, using, or disclosing their personal information. Consent must be obtained in an understandable and meaningful way, and individuals have the right to withdraw their consent at any time;
- Collection limitation: Organizations may only collect personal information for reasonable and necessary purposes. They must also inform individuals of the purposes for which their data is being collected.
- Use and disclosure limitation: Organizations may only use or disclose personal information for the purposes it was collected or for a purpose that the individual would reasonably expect. They must also inform individuals of any third parties to whom their information may be disclosed;
- Access: Individuals have the right to access their personal information held by an organization, and to request that any inaccuracies be corrected;
- Accountability: Organizations are responsible for protecting personal information under their control and are required to take reasonable steps to safeguard it. They must also have policies and procedures in place to comply with PIPEDA;
- Openness: Organizations must make information about their privacy policies and practices readily available to individuals;
- Challenging compliance: Individuals have the right to challenge an organization's compliance with PIPEDA, and may file a complaint with the Office of the Privacy Commissioner of Canada (OPC). The OPC has the authority to investigate complaints and make recommendations to organizations. If an organization fails to comply with PIPEDA, the OPC may take legal action.