PIPEDA Fair Information Principle 1 – Accountability
More about Accountability
Reviewed: May 2019
- Comply with all 10 fair information principles.
- Appoint someone to be responsible for your organization's PIPEDA compliance.
- Protect all personal information held by your organization, including any personal information you transfer to a third party for processing.
- Develop and implement personal information policies and practices.
How to fulfill these responsibilities
Develop a privacy management program.
- This program should identify your organization’s designated privacy official, and communicate their name or title internally and externally (e.g. on your website or in publications).
- Your designated privacy official should have the support of senior management and the authority to intervene on privacy issues.
- Conduct a privacy impact assessment and threat analysis of your organization’s personal-information handling practices, including ongoing activities, new initiatives, and new technologies.
- Start by using the following checklist:
- What personal information do we collect and is it sensitive? (Sensitive information may require extra protection.)
- Why do we collect it?
- How do we collect it?
- What do we use it for?
- Where do we keep it?
- How is it secured?
- Who has access to or uses it?
- Who do we share it with?
- When is it disposed of?
- Develop, document and implement policies and procedures to protect personal information:
- Define the purposes of collection.
- Obtain valid and meaningful consent.
- Limit collection, use and disclosure.
- Ensure information is correct, complete and current.
- Ensure security measures are adequate to protect information.
- Develop or update a retention and destruction timetable.
- Develop and implement policies and procedures to respond to complaints, inquiries and requests to access personal information.
- Develop, document and implement breach and incident-management protocols.
- Document and implement risk assessments.
- Develop, document and implement appropriate practices to be used by third-party service-providers.
- Develop, document and deliver appropriate privacy training for employees.
- Regularly review your privacy management program and address any shortcomings.
- Be prepared to demonstrate that you have specific policies and procedures in place to protect personal information; that you provide adequate privacy training to your employees; and that you have appointed someone to be responsible for privacy governance).
- Make your privacy policies and procedures readily available to customers and employees (e.g., in brochures and on websites).
- Train all staff so they can answer the following questions:
- How do I respond to public inquiries regarding our organization's privacy policies?
- What is valid and meaningful consent? When and how is it obtained?
- How do I recognize and process requests for access to personal information?
- To whom should I refer privacy-related complaints?
- What are my organization’s current or new initiatives relating to the protection of personal information?
- When transferring personal information to third parties:
- obtain appropriate consent from the customer/client for the transfer;
- ensure the third party has identified a person to handle all privacy aspects of your contract with them;
- limit the third party’s use of any personal information you supply to the purposes specified to fulfil the contract;
- limit any disclosure by the third party of this information to what is authorized by your organization or required by law;
- ensure the third party refers any people looking to access their personal information to your organization;
- ensure the third party returns or disposes of the transferred information upon completion of the contract;
- ensure the third party uses appropriate security measures to protect the personal information;
- allow your organization to audit the third party’s compliance with the terms of your contract as necessary.
Report a problem or mistake on this page
- Date modified: