The Personal Information Protection and Electronic Documents Act (PIPEDA) requires the Office of the Privacy Commissioner (OPC) to “encourage organizations to develop detailed policies and practices, including organizational codes of practice, to comply with sections 5 to 10” of the Act. In its discussion paper exploring potential enhancements to consent under PIPEDA, the OPC remarks that “[w]e have not yet fully explored this provision.”
To this end, the OPC, through its Contributions Program, became interested in funding academic research projects relating to developing codes of practice. In one such project, researchers at Ontario Tech University developed a privacy code of practice (the code) for connected and automated vehicles (CAVs).
Unlike privacy policies or statements, codes of practice tend to apply to more than one organization. It is worthwhile to note that the Act that is now PIPEDA itself began as a code of practice – the Canadian Standards Association (CSA) model principles. The ten principles in the CSA model were: Accountability; Identifying Purposes; Consent; Limiting Collection; Limiting Use; Disclosure and Retention; Accuracy; Safeguards; Openness; Individual Access; and Challenging Compliance. These principles are now enumerated in PIPEDA and form the basis of central obligations that all organizations in the commercial sector need to address when handling personal data.