steve kwan user experience designer

What's wrong with PIPEDA

(February 19th, 2007 - 11:24PM)

PIPEDA (the Personal Personal Information Protection and Electronic Documents Act) is both a good thing and a bad thing. This is mainly because PIPEDA has two parts: the first relates to Personal Information Protection (the PIP), and the second relates to Electronic Documents (the ED).

The Electronic Documents legislation is much needed, as it gives e-mail and other digital documentation the legal strength it's needed for a long time. PIPEDA allows the government to use electronic and physical documents almost interchangeably, which is important considering how prevalent electronic documentation has become.

The Personal Information Protection legislation, on the other hand, is questionable at best. It really seems to be a knee-jerk response to the privacy bandwagon, and most of its requirements are barely enforceable. For example, PIPEDA treats all holders of personal information the same, regardless of their size. It expects an individual person to exercise the same level of care as a massive corporation when protecting the privacy of others. See this excerpt from SCHEDULE 1:

"Accountability for the organization's compliance with the principles rests with the designated individual(s), even though other individuals within the organization may be responsible for the day-to-day collection and processing of personal information. In addition, other individuals within the organization may be delegated to act on behalf of the designated individual(s)."

This is clearly written with the mega-corporation in mind, but the legislation applies just as strongly to a lone entrepreneur. I doubt that most one-man companies have a "designated individual" for managing privacy.

Although PIPEDA may be ideal, it's hardly realistic. Were every company, group and person to follow PIPEDA to the letter, the amount of wasted energy required would bring business to a total halt.

My company sometimes hits roadblocks with privacy legislation, and not always in ways that make sense. In one situation, a prospect told us that they couldn't use our software in the most efficient way possible, because doing so would require the software to access patron information, which would violate regional privacy legislation. This despite the fact that the patron information had already been provided to the institution at the patron's consent. But apparently, that data couldn't be shared between two systems in the same institution.

I'm not trying to downplay the importance of privacy. If you're entrusted with someone's personal information, you should do your best to protect it. But there comes a point where people have to take responsibility for their own personal information. If you scrawl your social insurance number on park benches across Canada, you shouldn't be surprised if it falls into the wrong hands. Or if you e-mail me your credit card number and someone hacks my account, I shouldn't be held liable. PIPEDA expects the recipients of personal information to be entirely responsible for the consequences of the giver's bad judgment. I don't want to be an unwilling steward for anybody's privacy protection.

The above is a slightly modified assignment for a BCIT course I'm taking.