Introduction
The Personal Information Protection and Electronic Documents Act (PIPEDA) allows Canadians to take charge of their data and provides companies rules about how to handle their personal information. It protects personal privacy rights and the right of individuals to control their data (unlike HIPAA, which protects health information in the US). PIPEDA relates specifically to Canadian companies.
Many of you might wonder: Do Canadian web designers need to adhere to HIPAA? Whereas PIPEDA controls data privacy in Canada, HIPAA regulates healthcare data in the United States. However, in the case that a Canadian company is obtaining or handling PHI of U.S. citizens, then that organization must also follow HIPAA compliance rules.
Although PIPEDA applies to all companies, this is especially pertinent for companies in the health and wellness industry such as private practices, psychologists, chiropractors and hospitals that handle private healthcare data. Any company running a website gathering personal data must follow PIPEDA rules.
Furthermore, pertaining knowledge of other rules such as HIPAA compliance in the USA, and General Data Protection Regulation (GDPR) in the EU is a useful component since every person in the world should have the right to privacy over their identifiable medical records.
What is PHI?
(PHI) is a crucial component to PIPEDA and stands for Personal Health Information. Examples of PHI that must be kept private under PIPEDA are:.
- E-mail addresses,
- Phone numbers
- Medical records, or
- IP addresses
Who is responsible for PIPEDA compliance - the web designer or the client?
The ultimate responsibility for compliance lies with the client (the website owner). Therefore, working with an organization that is familiar with PIPEDA and who can educate you and provide best practices is optimal for your company’s success.
To help you stay up to date and complaint, download our Free Monthly PIPEDA Compliance Checklist here.
Here are 10 tips to ensure PIPEDA compliance on your website.
Any Canadian company that gathers personal data must understand PIPEDA. Non-compliance can have serious repercussions, including damage to reputation and legal fines. The main thing to remember is that PIPEDA ensure that the data collected on your website is secure but also inaccessible. Here’s 10 tips on how to do just that.
1. Change Passwords Frequently
Changing passwords regularly is the most basic but efficient way to secure sensitive data. Passwords should be different per account and difficult enough to prevent guessing and brute force.
- A strong password at least 12 characters long will combine uppercase, lowercase, digits, and special characters.
- Change the passwords for your staff members and users every sixty to ninety days.
- Two-factor authentication (2FA) is even more secure, whereby users validate themselves using another device-text messaging, an authentication app).
2. Use a VPN
Virtual Private Network (VPN) encryption protects your online communication so that no one outside the system can see the information transferred between your computer and the websites you visit. This is especially true when you’re sharing confidential data over public Wi-Fi, where interceptions are most likely. A VPN not only secures private information while it is being transferred but also hides the user’s IP address, which ensures that web designers and customers are as private as they can be and shields people’s data from cyber attacks. A VPN you can check out for your business is Perimeter81.
3. Report PHI Violations
Personal Health Information (PHI) is private and should not be treated lightly. Don’t open or share customer PHI except if you have to do so to run your business. If you discover a PHI breach – unauthorized access or release of health data, for example – you must report it immediately to the Office of the Privacy Commissioner of Canada. They give you the steps to report and handle incidents like that, preventing harm and complying with PIPEDA. You can report a breach to the government here.
4. Choose a Secure Hosting Provider
Your website is only secure when you choose a secure host provider. Be sure to search for a provider with advanced security features like firewalls, intrusion prevention, and security audits. These protect you from unauthorized access and attacks. Furthermore, your site can benefit from being hosted in Canada to support PIPEDA. Canadian laws and regulations will ensure that data obtained from Canadian users is governed by Canadian laws and regulations, allowing you even greater data privacy assurance.
- A good Canadian website host we like is Host Papa.
5. Obtain Clear Permission
Organizations must have people’s explicit permission before gathering, processing, or disclosing their data. This means users should know what data you are collecting and why. Make your permission forms very clear.
- Add checkboxes to have users opt in.
- Ask for only what is necessary by your company and tell users what their data will be used for.
- Use 2FA in forms.
6. Provide Users with Access to Their Information
The ability for users to own their data is a trust- and transparency-builder. Implement access to account login and view their data. That’s also the ability to update their information and cancel their accounts if they want to. Offering this kind of control to users makes you compliant with PIPEDA and makes it easier for visitors to enjoy the whole user experience on your site.
7. Implement SSL Encryption
SSL (Secure Socket Layer) encryption is essential to keep data secure between your server and your user’s browsers. Data can’t be read during the transmission with an SSL certificate. Enabling SSL causes users to see a padlock symbol in the address bar of the browser. This makes them confident that their data is safe. Without SSL, information is transmitted as text, and thus, it’s prone to being intercepted and stolen.
8. Regularly Update website
Keep your website, themes, and plugins up to date for security. These updates tend to contain security fixes. If you regularly update and download updates, a hacker will not be able to access your site easily. Enable automatic updates may also be a feature you can choose with your host.
9. Create a Privacy Policy
A detailed privacy policy is mandatory under PIPEDA. This must specify what information your company uses, stores, and protects. It also should clarify user’s rights regarding their data and how to exercise them. Include this policy in a prominent location on your site (often included in the footer or when signing up). Your users will be convinced by a clear privacy policy that you are serious about preserving their information.
- Ensure all your forms including even your subscribe form has a link to your privacy policy.
10. Implement Access Controls
Limit the data access to sensitive information so only authorized employees can see or edit it. Create role-based access controls so that only the information employees require is available to them. This reduces the likelihood of hacking and secures personal data from insider attacks. Make frequent changes to access rights so data stays secure and PIPEDA compliant.
Canadian Taxes for WordPress Website
Download this free excel spreadsheet that includes the tax rates for all of Canada’s provinces and territories. Download here.
Conclusion
We offer health and wellness solutions, serving clinics, therapists, mental health facilities, and non-profit organizations at Supernova Sites. We focus on being PIPEDA compliant so that our clients can protect sensitive personal data and keep their customers happy.
With these recommendations, SMBs that offer health and wellness products can control their websites without violating customers’ privacy. Always remember that the safety of personal data is not about tricking the system; it is about preserving the integrity of every person.
Get our free Monthly PIPEDA Compliance Checklist here.
NEWSLETTER
Was this content useful to you?
Opt-in to get more website tips straight to your inbox.
View our privacy policy to learn more about your data.
