PIPEDA Fair Information Principle 1 – Accountability

Reviewed: August 2020

Your responsibilities

• Comply with all 10 fair information principles.
• Appoint someone to be responsible for your organization’s PIPEDA compliance.
• Protect all personal information held by your organization, including any personal information you transfer to a third party for processing.
• Develop and implement personal information policies and practices.

How to fulfill these responsibilities

Develop a privacy management program

• This program should be designed, at a minimum, to comply with the law, including the 10 fair information principles.
• It should identify your organization’s designated privacy official, and communicate that person’s name or title internally and externally (e.g. on your website or in publications).
• Your designated privacy official should have the support of senior management and the authority to intervene on privacy issues.
• Conduct a privacy impact assessment and threat analysis of your organization’s personal information handling practices, including ongoing activities, new initiatives, and new technologies.
• Start by using the following checklist:
  • What personal information do we collect and is it sensitive? (Sensitive information may require extra protection.)
  • Why do we collect it?
  • How do we collect it?
  • What do we use it for?
  • Where do we keep it?
  • How is it secured?
  • Who has access to or uses it?
  • Who do we share it with?
  • When is it disposed of?
• Develop, document and implement policies and procedures to protect personal information:
  • Define the purposes of collection.
  • Obtain valid and meaningful consent.
  • Limit collection, use and disclosure.
  • Ensure information is correct, complete and current.
  • Ensure security measures are adequate to protect information.
  • Develop or update a retention and destruction timetable.
  • Develop and implement policies and procedures to respond to complaints, inquiries and requests to access personal information.
  • Develop, document and implement breach and incident-management protocols.
  • Document and implement risk assessments.
  • Develop, document and implement appropriate practices to be used by third-party service-providers.
  • Develop, document and deliver appropriate privacy training for employees.
• Regularly review your privacy management program and address any shortcomings.
• Be prepared to demonstrate that you have specific policies and procedures in place to protect personal information; that you provide adequate privacy training to your employees; and that you have appointed someone to be responsible for privacy governance.
• Make your privacy policies and procedures readily available to customers and employees (e.g., in brochures and on websites).

Tips

• Train all staff so they can answer the following questions:
  • How do I respond to public inquiries regarding our organization’s privacy policies?
  • What is valid and meaningful consent? When and how is it obtained?
  • How do I recognize and process requests for access to personal information?
  • To whom should I refer privacy-related complaints?
  • What are my organization’s current or new initiatives relating to the protection of personal information?
• When transferring personal information to third parties for processing outside Canada:
  • assess risks that could adversely impact the protection of personal information when it is transferred to third-party service providers operating outside of Canada;
  • ensure through contractual or other means that the third party provides a level of protection of the personal information comparable level of protection to that required in PIPEDA;
  • limit the third party’s use of the personal information to the purposes specified to fulfill the contract; and
  • be transparent about your practices, including by advising customers their information may be sent to another jurisdiction for processing, and that while in another jurisdiction it may be accessed by the courts, law enforcement and national security authorities.