In this guidance note, we describe elements of a privacy programme and direct organisations to links with additional resources.
The Personal Information Protection Act (PIPA), section 5, "Responsibility and compliance" contains the following requirements:
(1) Every organisation shall adopt suitable measures and policies to give effect to its obligations and to the rights of individuals set out in this Act.
(2) The measures and policies in subsection (1) shall be designed to take into account the nature, scope, context and purposes of the use of personal information and the risk to individuals by the use of the personal information.
(7) In meeting its responsibilities under this Act, an organisation shall act in a reasonable manner.
These provisions contain a great deal of flexibility. This flexibility is useful, because every organisation is different. Personal information may be used in many different ways and for many different purposes. These varying circumstances create a variety of potential risks to individuals.