PIPA Implementation Tool 1: Ten Steps to Compliance

On January 1, 2004, the Personal Information Protection Act (PIPA) came into effect. PIPA regulates the way private sector organizations collect, use, secure and disclose personal information.

PIPA ensures that organizations holding personal information handle that information responsibly. It also gives individuals control over the way their information is handled, gives individuals the right to request access to their information and to request the correction of their personal information.

Organizations covered by PIPA need to consider how they will comply with and implement PIPA's privacy protection provisions. (For more information on whether your organization is covered refer to Implementation Tool 2: "How do I know if I am covered?").

The way an organization approaches compliance will vary depending on a number of factors, including:

Developing a Privacy Plan

Developing a Privacy Plan is a good place to start. While not an exhaustive list, a privacy plan usually includes the following ten steps:

1. Assign Responsibility

An organization must designate one or more individuals within the organization to be responsible for developing and implementing a privacy policy that suits the organization's business and complies with the law (this individual is commonly known as a "Privacy Officer").

The Privacy Officer is the first point of contact in the organization when privacy issues arise either internally or from outside the organization. The Privacy Officer is responsible for ensuring that the organization's privacy policy and procedures are fully implemented and working effectively. 

Other activities could include:

For more information on what a Privacy Officer does, refer to Implementation Tool 3: "What is a Privacy Officer?".

2. Become Familiar with the Ten Privacy Principles

The next step is for relevant members of the organization to familiarize themselves with PIPA's privacy principles. The ten privacy principles are legally binding rules that regulate the way private sector organizations collect, use, disclose, and ensure the security of personal information.

These principles (commonly know as "Fair Information Practices") are internationally recognized as fundamental to the protection of personal privacy and are found in most privacy legislation around the world.  PIPA's privacy principles are the same as those set out in the Canadian Standards Association's Model Code for the Protection of Personal Information which was incorporated into the federal Personal Information Protection andElectronic Documents Act (PIPEDA).

An organization will need to become familiar with the privacy principles in order to design and implement a compliant privacy program. For more information on these principles refer to Implementation Tool 4: Ten Principles for the Protection of Privacy.

3. Conduct a Privacy Audit 

In order to identify what you will need to do to comply with PIPA, it is critical to find out where you are now. The first question to ask is "Where do we have personal information and how do we currently manage it?"

A privacy audit will assist you in answering these two questions and prepare you for assessing how your current practices measure up against Implementation Tool 4: Ten Principles for the Protection of Privacy.

A privacy audit is not a complicated process that involves hiring a professional auditor. It simply means conducting an internal inventory and review of your personal information holdings and practices. 

A privacy audit involves the following three steps which may be performed together or in order: taking an inventory of your personal information holdings; identifying the information needs of the different functions within your organization; and identifying your current information practices (including how and why your organization collects, uses and discloses personal information).

The amount of time and resources that need to be devoted to a privacy audit will depend on the size of your organization, the amount of personal information you hold, and the complexity of your information handling practices.

For more information, on how to conduct a privacy audit, refer to Implementation Tool 5: Conducting a Privacy Audit of your Personal Information Holdings.

4. Put your Practices to the Test

Having conducted a Privacy Audit of your organization's information handling practices, the next step is to assess how those practices measure up against the privacy principles found in PIPA, PIPEDA and other privacy legislation. A plan can then be developed to address any areas that do not comply with these principles.

Implementation Tool 6: Privacy Compliance Self-Assessment Tool was developed to assist organizations to self-assess their readiness for privacy legislation. The tool assesses an organization's compliance with the Implementation Tool 4: Ten Principles for the Protection of Privacy through a series of questions and generates a report outlining the additional steps an organization should take to be fully compliant.

5. Implement Changes

After auditing and analysing your information handling practices, you may need to implement certain changes to your information practices and systems (technological and otherwise).

Staff who are responsible for developing your privacy plan are not necessarily those you will need to implement it. Regardless of the size of your company, ideally, any area that collects, uses or discloses personal information should be involved in the implementation of your privacy program. For example, implementing changes to how your organization collects, uses and discloses employee information should involve Human Resources personnel.

Few organizations conduct business or deliver services without employing some form of information technology. Compliance with the privacy principles may require a change to some of your information systems. For example, you may need to update your computer databases so you can retrieve the personal information of a specific individual when requested, or you may need to eliminate automatic or invisible collection of personal information on your Web site.

6. Develop a Privacy Policy (Implementation Tool 8)

Good privacy practice often depends on the context in which personal information is handled and the expectations of the individuals interacting with an organization. Discussing privacy expectations with staff and customers/clients and thinking about ways to address their concerns will give an organization a sound basis for a privacy policy.

It may also be helpful to work with an industry association or other industry participants when developing a privacy policy. Organizations may find that their industry body has already thought about many of the privacy issues that arise in the industry.

7. Train Staff

The way an organization's staff handle personal information is just as important as the technology the organization has in place to manage and secure the information. A privacy plan should include a program to train staff about privacy procedures and the organization's privacy policy.

Your staff will need to understand that there are legislative requirements placed on your organization and that these requirements may necessitate changes in some of their jobs, tasks and responsibilities.

No matter how good your privacy policy and practices are on paper, or how secure your technology is, it is your staff who will be responsible for consistently complying with the privacy principles on a transaction-by-transaction basis. Therefore, staff training will be essential to your success in this area.

Every one of your employees, associates, contractors, partners, or agents who collect, use or disclose personal information will need to understand that they must do so in accordance with PIPA's privacy principles and your stated privacy policy.

The training needs of your staff (i.e., the type, scope, frequency and content) will vary according to the nature of their responsibilities. It is likely that you will need to undertake some sort of general education, as well as job-specific training for those new and existing staff responsible for managing personal information.

8. Develop or revise forms and communications materials

Review and revise as necessary your organizations forms, brochures, websites, etc. to comply with, and inform your customers or clients about your privacy policy and information practices. If your organization collects personal information by forms, or online, you will need to include notices that inform individuals of the collection purposes.

9. Review and revise service contracts

Your organization is responsible for personal information in its custody (i.e., physically held by) as well as information under its control (i.e., ownership, responsibility). This includes personal information that your organization has transferred to a contractor for processing or information the contractor may have collected on your organization's behalf.

To ensure that this personal information is properly protected, your contracts should clearly state what requirements must be met to comply with applicable privacy legislation and any policies your organization has developed to properly manage personal information.

For sample contract language, please see Implementation Tool 9: Privacy Protection Schedule Template (PDF 167KB). Attaching this schedule or a similarly worded schedule to your agreements with third parties should enable your organization to comply with its privacy responsibilities.

10. Develop an effective complaints handling process

A privacy plan should include a process for handling privacy complaints. It is always more efficient for an organization to resolve complaints directly than to involve an outside regulator. Having an effective complaints handling process is an important part of managing privacy risks within an organization. It helps an organization to:

For tips on how to set up an effective complaints process, see Implementation Tool 7: Setting Up a Complaint Handling Process.

This page was last updated April 7, 2004.