In our last post we discussed the applicability and non-applicability of PIPEDA and we briefly mention the 10 fair principles which PIPEDA contains. These principles are enshrined and explicitly and depicted in schedule 1, section 5 Now in our third series we shall discuss the 10 fair principles in detail.
1) Accountability (4.1): This principle speaks of organisation’s accountability in dealing with the personal information of an Individual and mandats to designate a person/s on behalf of organisation for it’s compliance. In other words we can relate the designation of a person/s to DPO (Data Protection Officers) appointed by organisations for its compliance under GDPR rules of European Union.
The accountability here stands for processing of data to third parties or within an organisation. In order to protect the same it speaks of contractual modes or any other mode as necessary through which an organisation can protect the data.
2) Identifying Purposes (4.2): this principle simply indicates that the personal information which is being collected by the organisation must be for identified purpose at the time or before such collection. It binds the organisation in terms of collection of data, only so much data which is required for the purpose must be collected and not more. However, if new purposes arise after the collection of Data the consent to be taken before using.
3) Consent (4.3): this principle speaks of knowledge and consent of an individual is essential before collecting the personal information. However, it has also provided certain situations where the personal information can be collected, used, or disclosed without the knowledge and consent of the individual. For eg. Legal, Medical or for Security reasons.
For the purpose of 4.3, Division 1 under 6.1 speaks of valid consent and makes it clear that the consent would be valid only when the individual understands the nature, purpose and consequences of the use, collection or disclosure of the personal information to which they are consenting.
The consent for collection, use and disclosing of personal information is to be given by the person himself/herself or can also be given by an authorised representative or a person having a power of attorney and in case of a minor -legal guardian.
Under PIPEDA the consent can be withdrawn at any time subject to contractual restrictions and reasonable notice.
4) Limiting Collection (4.4): this principle is restrictive in nature and makes it very clear that the collection of personal information shall be limited to that which is necessary for the identified purposes and no other, the information collection shall be by fair and lawful means.
This principle is close to the Principle no. 2 Identifying Purposes and Principles no.3 Consent. In other words we can say principles Nos.2,3 and 4 are in line and forms trinity.
5) Limiting Use, Disclosure and Retention (4.5): This is again restrictive and stringent in nature and makes it mandatory that the personal information shall not be used or disclosed for purposes other than those for which it was collected except with the consent. As far as retention of personal information is concerned the organisation has to develop and limit the guidelines which shall contain the maximum and minimum retention period.
The personal information when no longer required shall be erased, destroyed or made anonymous. The destruction provisions shall be developed under those guidelines.This principle forms trinity with second and third principle i.e. Consent and Identifying Purposes.
The remaining 5 principles we shall discuss in our next part
………… to be continued.