Personal Information Protection and Electronic Documents Act (PIPEDA) is the Canadian law that serves as the rulebook on data privacy. In some regards, PIPEDA has many parallels with HIPAA in terms of the way that it mandates certain handling of electronic health information. However, PIPEDA does not concern primarily with protected health information (PHI), as HIPAA does, but rather applies to the vast majority of data that pertains to each private Canadian citizen.
“Personal information”, is defined by PIPEDA as information about an individual that does not include the name, business address, title, or phone number of that individual or business. This law gives citizens:
2. The expectation that’their data is to be collected, used, or disclosed appropriately
3. To know who is responsible for organizing their personal information
4. To expect the organization to reasonably protect their data
5. To be able to keep their data up-to-date
6. To complain if an organization is handling their data in an unsatisfactory manner.
In addition, PIPEDA requires:
- Data is collected by fair and lawful means
- Personal information policies to be clear and readily available
- Organizations to obtain consent before collecting or disclosing data
- To provide the product or service promised despite refusal to consent to data collection
If an individual feels that their information has been compromised in violation of PIPEDA, this person does not have an automatic right to sue on these grounds. Rather, they must submit a formal complaint to the Office of the Privacy Commissioner of Canada, upon which the complaint will be addressed and a report will be filed at the conclusion of the investigation. This report is a recommendation for action and is not binding. The complainant can then take the report to the Federal Court of Canada to seek reparations for alleged violations of PIPEDA. The court has the power to award damages and to force corrective action.
PIPEDA requires Canadian hosting companies to meet these specific requirements and to be able to prove that these requirements are being met. Canada has several audit standards that are in place to guarantee that companies are protecting customer data in an acceptable way. Two of these audit standards are known as SAS70 (State on Auditing Standards, No. 70) and CICA5970 (Canadian Institute of Chartered Accountants). These audits were created to test and illustrate the “controls” a company has in place to ensure compliance. “Control” in this case refers to any process, tool, or policy that a company utilizes to back up a claim of compliance.
Regarding SAS70, there are two types of types of audits: Type I and Type II. Type I audits are used to provide auditors and organizations with information on the controls in place that are relevant to the organization’s financial reporting. With this type of audit, no testing is performed to determine effectiveness of the controls, just to ensure the presence of these controls. Type II audits are used for controls that are specifically tested to meet specified objectives and assess their effectiveness. This type of audit takes place over the course of time and pertains to the presentation of such controls and their functional effectiveness. At the end of these audit reports, management determines a reasonable assessment of the systems in-place to prevent data breaches, from physical security, to backup/recovery, and log retention.
In terms of IT Professionals, if data is being hosted in Canada, it is subject to PIPEDA law and its provisions. Subject to this act, businesses are required to be able to respond to requests to access personal information in accordance with the requirements of this act. This generally means that you must provide access to individuals to their own data in a timely manner, to make corrections as needed, and to ensure that these requests for access are legitimate before releasing any data that doesn’t fall under the exceptions described above. With less constraints than HIPAA, the PIPEDA law applies to a grander scope of data. Many companies that would not even have to think about HIPAA would need to keep in mind the provisions required by PIPEDA when creating their business infrastructure. It’s safe to say if you have a PIPEDA requirement, hosting with a provider who is HIPAA compliant will cover your organization as long as they are SAS 70 certified.