Skip to content

Data privacy responsibilities in Canada between Clients, Agencies and SaaS service providers.

Under the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada, accountability and compliance responsibilities generally fall on both the SaaS service provider and the client (also called the data owner or controller). As a creative agency, we are ultimately a facilitator between SaaS services, operating on behalf of our clients, and with regards to CASL (Canadian Anti-Spam Law) or PIPEDA, do not have any liability.

As an agency representing our clients, we do ensure that all of our chosen/recommended SaaS providers are compliant with Canadian Law, and we’re here to help facilitate the preparation of a templated Privacy Policy document for our clients based on documents provided by Termly(tm). We are not lawyers though, and as in any case where there are legal implications, we recommend you seek professional council to ensure you are both educated and compliant with contemporary privacy laws. Below is an outline that breaks down the SaaS provider and the client’s responsibilities.

PIPEDA Overview:

Accountability: Organizations (Data Controller) must designate an individual(s) who is responsible for compliance with PIPEDA, the Privacy Officer.
Consent: Organizations must obtain an individual’s consent when they collect, use, or disclose personal information.
Collection: Information must be collected by fair and lawful means.
Use, Disclosure, and Retention: Personal information can only be used or disclosed for the purposes for which it was collected unless the individual consents otherwise, or as required by law. It should be kept only as long as necessary.
Safeguards: Personal information must be protected by appropriate security measures.

Roles:

  1. Client: The primary entity for which the creative agency and the SaaS provider are working, and the owner of the data, or Data Controller.
  2. Creative Agency: Acts as an intermediary, possibly using the SaaS CMS to collect and process personal information on behalf of the client.
  3. SaaS Provider: Supplies the CMS and is responsible for ensuring the system’s compliance with PIPEDA.

Responsibilities:

  1. Client Responsibilities (Data Controller):
    • Consent: Ensure consent is obtained from individuals for the collection, use, and disclosure of their personal information.
    • Purpose Specification: Clearly define the purposes for which personal information is collected and ensure it is only used for those purposes.
    • Data Accuracy: Ensure personal information is accurate and up-to-date.
    • Respond to Inquiries: Handle inquiries and complaints from individuals about their personal information.
    • Privacy Policies: Develop and maintain privacy policies and practices that comply with PIPEDA.
  2. Creative Agency Responsibilities:
    • Compliance: Ensure their actions comply with PIPEDA, including the collection, use, and processing of personal information.
    • Acting on Behalf of the Client: Obtain clear instructions from the client and act in accordance with the client’s privacy policies and PIPEDA requirements.
    • Security Measures: Implement appropriate security measures to protect personal information during handling and processing through it’s internal systems.
    • Training and Awareness: Ensure their staff is trained and aware of PIPEDA requirements and best practices for data protection.
    • Contracts and Agreements: Have clear agreements with both the client and the SaaS provider outlining responsibilities regarding data protection and compliance with PIPEDA.
  3. SaaS Provider Responsibilities:
    • Data Handling: Ensure the CMS collects, stores, and processes personal information in compliance with PIPEDA.
    • Security Measures: Implement security measures to protect personal information from unauthorized access, disclosure, alteration, or destruction.
    • Data Breaches: Notify the creative agency and the client of any data breaches that could affect personal information stored in the system.
    • Contracts and Agreements: Ensure contracts with the creative agency and the client clearly outline roles and responsibilities regarding data protection and PIPEDA compliance.

Shared Responsibilities:

  • Compliance: Ensure all aspects of data handling and processing comply with PIPEDA. This includes collaboration between the client, the creative agency, and the SaaS provider.
  • Data Processing Agreements (DPAs): Establish clear agreements specifying each party’s responsibilities concerning data protection and PIPEDA compliance.
  • Audits and Monitoring: Regularly audit and monitor compliance with PIPEDA as it relates to their areas of responsibility and address any issues promptly.

If you have any questions or concerns about the status of your privacy policy or your risk exposure, we’re happy to chat, and share what we know.