Personal Information of a natural person (i.e. not a corporation, union, association, partnership, or charity) can include photographs, business email addresses, employee identification number, computer IP address, and customers in store behaviour. Found in Schedule 1 of the Personal Information Protection and Electronic Documents Act (PIPEDA) are the ten fair information principles which were extracted from the Canadian Standards Association (CSA) Model Code for the protection of personal information.
Accountability: Organizations, including associations, partnerships, a person, or a trade union, are responsible for personal information under its control and must designate someone to be accountable for compliance with the ten principles.
Identifying Purposes: Organizations shall identify the purpose for the collection of personal information at or before the time of collection.
Consent: Consent of the individual is required to collect, use, or disclose personal information, except where inappropriate.
Limiting Collection: Personal Information collected must be limited to what’s necessary for the organization’s purposes under fair and lawful means.
Limiting Use, Disclosure, and Retention: Personal Information can only be used or disclosed for the purposes for which it was collected with few exceptions, and may only be kept as long as it’s necessary.
Accuracy: Personal information shall be as accurate, complete, and as up-to-date as possible for the purposes for which it is to be used.
Safeguards: Personal information held in the custody of the organization shall be protected against loss, theft, unauthorized access, etc. with appropriate security relative to the sensitivity of the information.
Openness: Organizations shall make detailed information regarding policies and practices relating to the management of personal information readily available.
Individual Access: Individuals must be informed of the existence, use, and disclosure of their personal information upon request. They shall be provided with access to that information, shall be able to challenge the accuracy and completeness of the information, and have it amended as necessary.
Challenging Compliance: An organization’s compliance and inquiry procedures shall provide a way for an individual to challenge an organization’s compliance with PIPEDA.