PIPEDA Compliance

Summary

Canadian companies can use ConveYour and still maintain PIPEDA compliance. Storing PIPEDA deemed “personal information” is 100% optional in ConveYour. If it is stored in ConveYour, it is stored securely and may reside 100% in Canada. If you are using ConveYour to train employees; names, emails, and phone numbers are not deemed “personal information”.

What is “personal information” under PIPEDA

https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection.....

Under PIPEDA, personal information includes any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form, such as:

  • age, name†, ID numbers, income, ethnic origin, or blood type;

  • opinions, evaluations, comments, social status, or disciplinary actions; and

  • employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs).

† name is reference as NOT being covered under PIPEDA below and in the next section under point 3.

"Personal Information", as specified in PIPEDA, is as follows: information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization.

Wikipedia - Personal Information and Electronic Documents Act

What is NOT covered by PIPEDA?

There are some instances where PIPEDA does not apply. Some examples include:

  • Personal information handled by federal government organizations listed under the Privacy Act

  • Provincial or territorial governments and their agents

  • Business contact information such as an employee’s name, title, business address, telephone number or email addresses that is collected, used or disclosed solely for the purpose of communicating with that person in relation to their employment or profession

  • An individual's collection, use or disclosure of personal information strictly for personal purposes (e.g. personal greeting card list)

  • An organization's collection, use or disclosure of personal information solely for journalistic, artistic or literary purposes

How does ConveYour use “personal information”?

  • age, name, ID numbers, income, ethnic origin, or blood type;

  • opinions, evaluations, comments, social status, or disciplinary actions; and

  • employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or c

ConveYour never collects this information by default nor can learners enter it on their own. Only administrators of a company's ConveYour account would be able to create fields to store these values and import this data into contact records. The governance of this data is controlled by the company using ConveYour and PIPEDA principals should be followed.

100% of PII can be stored in servers physically located in Canada. Please talk to ConveYour's team about your infrastructure needs.

Name

As you can see above, an employee's name does not always apply as “personal information”.

ConveYour does not require that a name be stored into each contact's profile. However, it is highly suggested. Having a name on each contact (aka learner) profile makes finding and working with staff records easier. Without a name, an email can be used to uniquely identify someone in the system.

In SMS messages, names stored in each learner's profile MAY be dynamically referenced (completely optional). Example “Hi {first name}” turns into “Hi John” or “Hi Sally”. These text messages are sent via our SMS provider, Twilio, the largest SMS provider for applications in the world. Logs of the outbound messages are stored in Twilio and therefore optionally store the first name of each recipient. However, these outbound message logs can be redacted after sending. Also 99% of the time you are just optionally sending the first name of a contact NOT their entire name. No other PII is stored with Twilio.

Twilio supports phone number and message body redaction which we can implement for you if needed.

In e-mail messages, names are set on the “to” field when sending outbound emails.

How ConveYour uses employee emails and phone numbers...

“What is NOT covered by PIPEDA?”, point 3

Business contact information such as an employee’s name, title, business address, telephone number or email addresses that is collected, used or disclosed solely for the purpose of communicating with that person in relation to their employment or profession

Email

Emails are used to send outbound communication to learners and register users. All outbound email communication from ConveYour to contacts (aka learners) is optional. You may use your own email broadcasting system to alert learners of new content if you so choose.

Phone Numbers

ConveYour is well known for it's SMS capabilities. However, they are 100% optional. ConveYour allows you to setup SMS messaging to alert learners of new content available to them. Of course, to send SMS messages the system needs to have an employee's mobile phone number stored in their profile. Employee phone numbers would only ever be stored on.