Initially introduced in 2000, the Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian law that protects data privacy.

Data privacy and video surveillance go hand-in-hand, and many PIPEDA-compliant organizations may wonder what is required of them, and how video surveillance fits into their security strategy. In this blog, we’ll look at PIPEDA, how it pertains to video security cameras, and how you can use video surveillance to strengthen overall security compliance throughout your organization.

What is PIPEDA?

PIPEDA stands for Personal Information Protection and Electronic Documents Act. It was established to protect an individual's personal information by dictating how businesses collect, use, and disclose such information.

According to the Office of the Privacy Commissioner of Canada, in order to comply with PIPEDA, an organization must:

• Obtain an individual's consent to collect, use or disclose that individual's personal information
• Use personal information only for the purposes for which consent has been granted
• Protect personal information with appropriate safeguards
• Accommodate an individual’s right to access their personal information
• Accommodate an individual’s right to challenge the accuracy of their personal information

What is considered personal information under PIPEDA?

Under PIPEDA (Personal Information Protection and Electronic Documents Act), personal information includes any factual or subjective information, recorded or not, about an identifiable individual.

This includes information in any form, such as:

• Age, Name, Identification Number
• Medical Records, Blood type, DNA, Ethnicity
• Financial Status, Income, Credit/Loan History
• Opinions/Comments, Evaluations, Social Status, or Disciplinary Actions
• Employment Files/History
• Identifiable Images and Video

Which organizations must comply with PIPEDA?

PIPEDA applies to any Canadian organization that collects personal information in the course of commercial activity. This includes federally regulated industries and the healthcare sector.

PIPEDA generally does not apply to non-profits, charity groups, or political parties. Certain organizations are typically covered by provincial laws as opposed to PIPEDA—such as universities, schools, hospitals, and municipalities.

The Ten Fair Information Principles of PIPEDA

The basic goal of PIPEDA is to protect personal data from misuse and to give individuals control over how their personal information is used in the private sector.

To comply with PIPEDA and follow best practices for data privacy, businesses are responsible for following the ten fair information principles:

1. Accountability: Organizations are held accountable for gaining the consent of an individual, protecting that information, and communicating any change.
2. Identifying Purposes: The reason the organization is collecting personal information must be identified before or at the time of its collection.
3. Consent: Organizations must request consent from individuals as well as re-request it if personal information use changes.
4. Limiting Collection: Only the personal information that is to be used by the organization should be collected, so as to limit the amount of data collected from the individual.
5. Limiting Use, Disclosure, and Retention: The use, disclosure, and retention of personal information must be conveyed and consented to by the individual.
6. Accuracy: Personal information must be accurate, or as up-to-date as possible, so that it can accurately be used in the way the organization intends.
7. Safeguards: Organizations must have security in place to appropriately house personal information.
8. Openness: Organizations must be open about their policies regarding the management of personal information and make that information easily accessible to the individual.
9. Individual Access: Organizations must provide a way for an individual to view their personal information.
10. Challenging Compliance: Individuals can challenge the organization at any point to verify the above principles are being followed.

How does PIPEDA Compliance Pertain to Video Surveillance?

Under Canadian privacy laws, footage and images captured by security cameras are considered personal information and are protected by PIPEDA. For this reason, it’s important to make sure that your video surveillance setup is PIPEDA-compliant.

How do you ensure video surveillance is PIPEDA-compliant?

Video surveillance in the private sector is subject to Canadian privacy laws, including PIPEDA. The Office of the Privacy Commissioner of Canada has outlined several guidelines to help organizations use security cameras in a PIPEDA-compliant manner. We’ll go over the key ones below.

• Inform the Public that Video Surveillance is Occurring: To comply with PIPEDA, a Canadian organization must communicate to individuals that they are being recorded and disclose how the footage will be used. The simplest way to achieve this is to post a clear sign on the premises before individuals enter the building. Signs should include a contact for questions and for people to request access to their images.
• Follow the ‘Reasonable Expectation of Privacy’ Rule: In general, security cameras are not permitted in areas where people have a “reasonable expectation of privacy”. Make sure you are using cameras in ‘public’ areas and not in areas where people expect privacy, such as bathrooms or changing rooms.
• Use Permissions-Based Role Management: Use a platform that lets you customize system access levels for different users. Granular user permissions allow you to tightly control who has access to personal information—you may want to restrict access based on role, the individual, or other parameters.
• Choose a Video Security System That Has Documented Security Practices: Choose a system that leverages strong security safeguards like end-to-end encryption, audit logs of all system access, and regular 3rd party security audits to check for potential system vulnerabilities. This ensures that recorded images are stored securely. You can review some of Rhombus' security practices here.
• Develop a Video Surveillance Policy: Create a policy that identifies clear goals for onsite video surveillance. It should outline a process for handling personal data and for adhering to PIPEDA’s ten fair information principles.

Keep in mind that because footage captured by security cameras is considered personal information protected by PIPEDA, it may only be used for the purposes for which individuals have given consent. For example, if a retailer plans to use video surveillance to analyze consumer behavior, this use case should be disclosed in the signage so that individuals may make informed decisions.

Maintaining PIPEDA Compliance with Rhombus

Data privacy is a core priority at Rhombus, and the platform is designed to make it easy for Canadian organizations to comply with PIPEDA and other privacy laws.

From end-to-end encryption to granular user permissions, Rhombus has many features that allow businesses to effortlessly maintain best-in-class cybersecurity and data privacy protocols. These include:

Protect system access with strict user permissions

• Only authorized end users have the authority to initiate and provide account access
• All granted access is logged and can be revoked at any time
• Rhombus does not have any form of super admin account that allows access to customer accounts

End-to-end encryption

• All media is fully encrypted with redundancy
• All video is encrypted
• Complete end to end encryption with all data encrypted both at rest and in-transit All communication with the cloud is encrypted

Automatic security updates

• Your organization is always protected by the most advanced and up-to-date cybersecurity protocols
• You’re never relying on out-of-date technology to safeguard your facilities
• There are no gaps in protection due to delays on the user end—once new updates are ready, they happen right away with no action required by your organization

Rhombus can also be used as a tool to achieve compliance through means of providing audio and video evidence to back up an individual’s consent. It also provides an easy way to share captured footage with individuals if they request access to it via Principle 9.

Compliance as the End-User’s Responsibility

PIPEDA applies to organizations that collect personal information. Rhombus does not collect, use, or distribute any personal information, and as such, PIPEDA is not applicable to Rhombus. In other words, there’s no way for a video security provider like Rhombus to be compliant or non-compliant. Due to the nature of how PIPEDA establishes ‘compliance’, it simply doesn’t apply.

The organization that is collecting video footage is responsible for maintaining PIPEDA compliance.

Start PIPEDA-Compliant Video Security with Rhombus

Surveillance cameras are a helpful tool that many private sector organizations use to secure their facilities. By following several best practices, it’s easy to use security cameras in a PIPEDA-compliant way to increase your organization’s safety and visibility.

PIPEDA compliance can be complicated, and Rhombus often addresses questions among prospects about video surveillance, security cameras, and data privacy regulations. Feel free to request a personalized demo or reach out to one of our experts if you have any questions on how to best roll out video security within your organization.

Rhombus has worked with numerous organizations that use cloud security cameras as part of their compliance strategy and hopes to aid anyone considering the use of security cameras in their organization.