eForms Logo

PIPEDA Privacy Policy Template & Generator

Create a high-quality document now!

PIPEDA Privacy Policy Template & Generator
PDF Word ODT
4.5 Stars | 2 Ratings
34 Downloads

Updated November 01, 2022

A PIPEDA privacy policy is required to be accessible on websites with Canadien users to disclose how personal information is used and collected. Prior to collecting users’ personal information, a website must obtain consent which can be done by providing a link in the website’s footer.

What is PIPEDA?

The Personal Information Protection and Electronic Documents Act, or PIPEDA, was enacted fully on January 1, 2004, by the Canadian legislature with the main purpose of protecting and promoting consumer privacy rights.

Requirements (7)

  1. Place in Footer – Make the privacy policy available in a completed form. To satisfy this condition, it’s recommended to be linked in the footer of a website and displayed on each webpage.
  2. Policies and Practices – To include policies and practices for safeguarding data while naming a person responsible for PIPEDA compliance.
  3. Describe Accurately in Easy-to-Understand Language – Describe, with “sufficient precision,” the personal information being collected from its users in easily understandable terms.
  4. Limit Collection and Usage – Limit the collection and use of personal data to the intended purpose of fulfilling a legitimate identified purpose.
  5. Access to Personal Information – Allow users to access personal information about them and challenge an organization’s compliance standards.
  6. Safeguard Data – A website is required to make proper safeguards depending on the sensitivity of the personal information being stored.
  7. Report Breaches – Report breaches of personal information to the Office of the Privacy Commissioner (OPC) and affected individuals.

“Personal Information” Definition

Personal information means information about an identifiable individual.

Anti-Spam Legislation

PIPEDA works in tandem with Canada’s Anti-Spam Legislation (CASL) which allows users to report organizations misusing their personal information.

10 Principles of PIPEDA
  1. Accountability
  2. Identifying Purposes
  3. Consent
  4. Limiting Collection
  5. Limiting Use, Disclosure, and Retention
  6. Accuracy
  7. Safeguards
  8. Openness
  9. Individual Access
  10. Challenging Compliance

1. Accountability

An organization must acknowledge the responsibility to protect and secure its users’ personal information and to comply with the 10 principles of PIPEDA. Policies and practices are to be implemented with a person to be named responsible for compliance.

2. Identifying Purposes

The collection practices of personal information must be detailed and outlined, including the reasons for usage.

3. Consent

“Meaningful consent” is required to collect and use personal information. This can be achieved by making the privacy policy “readily available in completed form” or placing a link in the website’s footer.

The privacy policy should be written in an easy-to-read format and include that the collection is to complete a legitimate use. It must also include language that allows users to withdraw their consent at any time.

4. Limiting Collection

The collection of personal information must only be for the reasons mentioned in the privacy policy. The limited collection must be honest and by legal means.

5. Limiting Use, Disclosure, and Retention

Personal information can only be used for a clearly outlined purpose and disclose where it is and how it’s saved. When disposing of data, to detail such methods.

6. Accuracy

Incorporate guidelines to reduce the amount of incorrect personal information. No policies are recommended, as each organization must appropriately put forward its procedures.

7. Safeguards

Communicate that an organization has the proper cybersecurity that meets the needs of the sensitive information being stored.

8. Openness

Overall, the privacy policy must be “clear and easy to understand” and “readily available,” which can be fulfilled by placing a link in the website’s footer.

9. Individual Access

A user should be able to access or request the information an organization has about them. If the information is inaccurate, the user can request for the personal information to be updated.

10. Challenging Compliance

A user must be able to challenge an organization’s compliance and procedures regarding its handling of fair information principles. It should be able to take complaints, and the organization should have a process for handling such requests.