Data Privacy Compliance Series: What Engineering and IT Leaders Need to Know
A Guide to PIPEDA Compliance When Using Third-Party APIs
If you’re an engineering or IT leader whose business collects or maintains any personal information from Canadian citizens, you’ll need to be familiar with your responsibilities under PIPEDA. There are some unique data privacy and compliance challenges for any companies using third-party APIs and require proactive strategies to protect your customers’ information and stay compliant.
What PIPEDA Is
The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian law governing personal data and information privacy.
What It Protects
PIPEDA protects the personal information of Canadian citizens, which it defines quite broadly. Personal information under PIPEDA can range from personally identifiable information like a person’s name, age, ID number or address to medical records, opinions, ethnic origin, income – and even a person’s “intentions,” like the intent to purchase something or to change jobs.
Why It Matters to You If You’re Consuming APIs
All businesses that handle the personal information of Canadians, regardless of where they are based, are subject to PIPEDA (you can double check if you’re subject to PIPEDA here) – and the law lays out some specific requirements when it comes to sharing data with third parties.
Companies must get express consent from customers before collecting their information and specify how the information will be used. If your plans for data use change at all (for example, you start using a new third-party API), you also need to get consent for that new use. PIPEDA also specifies that companies should ensure that third parties limit the use of supplied personal information to the specified purposes and ensure that they take appropriate security measures to protect the information.
Fines for PIPEDA violations can be up to $100,000 per violation.
What You Need to Provide for Your Customers
Under PIPEDA, customers can request to review the information collected about them and understand how it was used or who it was shared with and for what purpose. You should also provide simple, accessible ways for customers to make these requests and to issue any complaints about their personal data usage or make changes to their information. The law notes that these complaints or changes should also be shared with any third parties handling the customers’ data.
What PIPEDA Requires of Your Business
PIPEDA requires businesses to adhere to the following 10 principles:
- Accountability. This includes appointing someone who will be responsible for compliance and security and protecting personal information acquired by your company or shared with third parties like APIs.
- Identify the purpose. PIPEDA requires that you identify and specifically document why information is being collected and inform individuals of this purpose. If the purpose for data use or collection changes (i.e., through the use of a new third-party API), you must specifically inform customers of this new purpose and get their consent.
- Obtain informed consent. Get consent from customers before information is collected or used for a new purpose.
- Limit collection. Meaning: don’t collect more information than you need for your stated purpose.
- Limit use, disclosure and retention. Use information only for the purpose disclosed to your customers and keep information only as long as necessary to fulfill the purpose.
- Be accurate. Minimize any possibility of incorrect information and let customers make corrections.
- Use appropriate safeguards. PIPEDA also states that you must notify the Privacy Commissioner of Canada and affected individuals in the event of a security breach and keep records of all breaches.
- Be open. Inform customers about your policies and make them understandable and accessible.
- Give individuals access to their information. Provide simple and accessible recourse
Three Things You’ll Need to (Easily) Comply with PIPEDA
1.Visibility. If you have a clear view of all information your company is collecting and where it is being shared, you’ll be able to more easily articulate the purpose for each instance of data sharing and ensure that your customers are informed. As noted above, PIPEDA also requires fairly extensive record keeping, which makes this kind of visibility especially critical.
- Data Policy Controls. Develop a system for noting which types of data can be shared with which third parties and whether any types of data sharing that could be considered a new use of information are blocked from happening without consent.
- Monitoring and alerting. Automatic, real-time monitoring will let you ensure that data is being shared according to your PIPEDA-compliant specifications and alert you in the event of an accidental violation or a security breach. Having this information instantly will help you both remedy the problem and inform your customers, per PIPEDA’s regulations.
Hoss lets you track, tag and monitor all of your data processing activities with third-party APIs to help you protect your customers’ privacy and stay compliant with the CCPA as simply as possible. Get in touch to learn more.