PIPEDA Fair Information Principle 1 – Accountability

Your responsibilities as a business

  • Comply with all 10 of the principles of Schedule 1.
  • Appoint someone to be responsible for your organization's compliance.
  • Protect all personal information held by your organization including that which is transferred to a third party for processing.
  • Develop and implement personal information policies and practices.

How to fulfill these responsibilities

Develop a privacy management program. As part of this program:

  • Give your designated privacy official senior management support and the authority to intervene on privacy issues relating to any of your organization's operations.
  • Communicate the name or title of this individual internally and externally (e.g. on websites and in publications).
  • Analyze and document all personal information handling practices including ongoing activities and new initiatives, using the following checklist to ensure that they meet fair information practices:
    • What personal information do we collect and is it sensitive? (Sensitive information may require extra protection.)
    • Why do we collect it?
    • How do we collect it?
    • What do we use it for?
    • Where do we keep it?
    • How is it secured?
    • Who has access to or uses it?
    • To whom is it disclosed?
    • When is it disposed of?
  • Develop, document and implement policies and procedures to protect personal information:
    • define the purposes of its collection
    • obtain consent
    • limit its collection, use and disclosure
    • ensure information is correct, complete and current
    • ensure adequate security measures
    • develop or update a retention and destruction timetable
    • develop and implement policies and procedures to respond to access requests as well as inquiries and complaints
    • develop, document and implement breach and incident management protocols
    • conduct risk assessments
    • develop, document and implement appropriate service provider management practices
    • develop, document and deliver appropriate privacy training for employees
  • Regularly assess your privacy management program and address any shortcomings.
  • Be prepared to demonstrate that you have a privacy management program in place and that it is being followed.
  • Make information available explaining your privacy policies and procedures to customers (e.g. in brochures and on websites).

Tips

Train your staff and keep them informed, so they can answer these questions:

  • How do I respond to public inquiries regarding our organization's privacy policies?
  • What is consent? When and how is it to be obtained?
  • How do I recognize and process requests for access to personal information?
  • To whom should I refer complaints about privacy matters?
  • What are the ongoing activities and new initiatives relating to the protection of personal information at our organization?

Tips for transferring personal information to third parties

When transferring personal information to third parties, your contract with them should ensure that they:

  • Name a person to handle all privacy aspects of the contract.
  • Limit use of the personal information to the purposes specified to fulfil the contract.
  • Limit disclosure of the information to what is authorized by your organization or required by law.
  • Refer any people looking for access to their personal information to your organization.
  • Return or dispose of the transferred information upon completion of the contract.
  • Use appropriate security measures to protect the personal information.
  • Allow your organization to audit the third party's compliance with the contract as necessary.
Date modified: