PIPIDA Personal Information Protection and Electronic Documents Act

Yesterday at my work there was a question over what is an electronic document. I interpreted a persons ‘record’ to include photographs STL, OBJ, etc. is part of a persons electronic data. Unless they know and intend it to be in the public (like uploading a design to web sites like printables, Thingiverse …) organizations and business are required to follow PIPIDA rules. The debate was as a persons design or photograph does not carry their personal name and such it does not need to follow PIPIDA.

I don’t think his is correct. Partly any documents has electronic tags and such that can include private information (copyright notices contact for copyright act) and that as it is their thing it is their data. (copyright is murky in a university, so lets leave that out that is a different topic, and not relevant as it is a print centre environment in a university I am focused upon)

Does anyone have thoughts?

PIPEDA will only apply if you are embedding personal information in a sketch, drawing, etc. .

Even then, PIPEDA may not give you the relief you are looking for. PIPEDA gives you the right to know what information someone has and the right to request information be corrected. PIPEDA does not give you the right to have anyone delete (or otherwise change) a file.

Protection of intellectual property is copyright.

I am not concerned with Copyright only digital storage.

Let me try to explain the issue differently. I work in a university, I manage a department and have 1000 students. We have been looking at a drop off print system for digital prints and possibly 3d prints too.

The issue is, I am 100% required to keep names addresses credit cards etc confidential, and stored in Canada. This data must be stored with what a reasonable person would feel is a reasonable level of security. We do this. The files sent are the question. I have been contending they too need to be kept secure with the same security.

There is a different group that does not think any is needed and just being left on a general access computer file drop is fine.

Where does this requirement come from? If it is mandated by the university and you are dealing with university issue (e.g. student assignments), then there is your answer.

Note: PIPEDA only applies to federally regulated entities. Universities are provincial jurisdiction and exempt from PIPEDA. You need to refer to the province in which the university resides.

My understanding is between PIPIDA federal, and Provincial (every province) and the corresponding privacy laws, it is all effectively the same. It applies to all public and private organizations in Canada. We cannot share divulge private personal information.

I’m in the private sector and IT data security is a constant element in what I deal with even though I’m not a Cyber Security person. In general, it’s always best to err on the side of caution - the files being dropped off, should be afforded the same reasonable security protection - Until the creator or author of the file publishes it publicly, it’s their intellectual property (assuming they are not using something publicly published, or purchased, and the purchased item will demand the copyright protection you mentioned as a diff. topic.)

A) It’s just the right thing to do in this day and age, and can be implemented easily enough.
B) What if the item/file is for a classified research project being funded by an external party - their requirements for protection will need to be enforced, or you end up duplicating the entire system - which is just a terrible waste of compute and storage resources, never mind the extra work and cost inefficiencies, power, cooling and space requirements that get added in.
C) General data security also matters - what if you have individuals with a personality clash (never happens anywhere right) and someone was to access the file and modify it so that it leads to production material waste or general print failure.

It starts with keeping the question “What could go wrong?” and figuring out the main risks, then re-examining for the edge case risks. Security is annoying, but not being secure, and the risks that come with that are capable of being catastrophic for a number of things, and reputational harm is one of them, and extremely hard to repair.

For the group that doesn’t think it’s needed, ask them this: What if they submitted their absolute best photograph or 3d print design ever, one that would earn them prize money or accolades or similar. And someone lifted a copy and shared it or claimed it was their work? Sometimes getting them to wear the shoes helps.

Until someone declares the file/design is now in the public domain, it should be treated as either IP or private data.

(If you want to have fun, try to get Cyber Security insurance … the things you have to do! and keep doing!)

1 Like