PIPEDA Requirements

Personal Information Protection and Electronic Documents Act

---

Overview

PIPEDA is Canada's federal private-sector privacy law. It applies to organizations that collect, use, or disclose personal information in the course of commercial activities.

---

10 Fair Information Principles

1. Accountability

Requirement: Designate an individual accountable for compliance.

VitaraVox Implementation	Status
Privacy Officer designated	⚠️ Needs appointment
Privacy policy published	⚠️ Needs update
Staff training program	⬜ Planned

2. Identifying Purposes

Requirement: Identify purposes for collection at or before collection.

VitaraVox Implementation	Status
Voice agent states purpose	✅ Implemented
Privacy notice available	⚠️ Needs update
Purpose limited to scheduling	✅ Enforced

3. Consent

Requirement: Knowledge and consent required for collection, use, disclosure.

VitaraVox Implementation	Status
Implied consent for scheduling	✅ Valid basis
Explicit consent for registration	✅ Voice script
Withdrawal mechanism	✅ Transfer/hang up

4. Limiting Collection

Requirement: Collect only what is necessary.

VitaraVox Implementation	Status
Minimal data in call logs	✅ No PHI logged
No medical records access	✅ Enforced
Registration data limited	✅ BC Health minimum

5. Limiting Use, Disclosure, Retention

Requirement: Use only for identified purposes; retain only as needed.

VitaraVox Implementation	Status
Call logs: 1 year retention	✅ Documented
Audit logs: 7 years	✅ Documented
Waitlist: until registered	✅ Implemented
Automated purge	⬜ Planned

6. Accuracy

Requirement: Keep information accurate, complete, up-to-date.

VitaraVox Implementation	Status
Patient data from OSCAR (source)	✅ No copies
Confirmation before booking	✅ Voice flow
Registration read-back	✅ Voice flow

7. Safeguards

Requirement: Protect with appropriate security.

VitaraVox Implementation	Status
TLS 1.2+ for all traffic	✅ Configured
AES-256 for credentials	✅ Implemented
Rate limiting	✅ 100 req/min
Access controls (RBAC)	✅ Admin UI

8. Openness

Requirement: Make policies and practices available.

VitaraVox Implementation	Status
Privacy policy on website	⚠️ Needs update
Sub-processor disclosure	⚠️ Needs documentation
Retention schedule published	⬜ Planned

9. Individual Access

Requirement: Provide access to personal information on request.

VitaraVox Implementation	Status
Access request procedure	⚠️ Needs documentation
30-day response timeline	⚠️ Needs procedure
Correction mechanism	⬜ Planned

10. Challenging Compliance

Requirement: Provide mechanism to address complaints.

VitaraVox Implementation	Status
Complaint procedure	⚠️ Needs documentation
Privacy Officer contact	⚠️ Needs appointment
Escalation to OPC	⬜ Document in policy

---

Cross-Border Transfers

Vapi.ai (United States)

PIPEDA allows cross-border transfers with comparable protection.

Requirements:

Requirement	Status
Comparable protection assessment	✅ Vapi HIPAA-compliant
Contractual safeguards (BAA)	⚠️ Needs execution
Disclosure in privacy policy	⚠️ Needs update

---

Breach Notification

Since November 2018, PIPEDA requires breach notification:

Threshold	Action	Timeline
Real risk of significant harm	Report to OPC	As soon as feasible
Real risk of significant harm	Notify individuals	As soon as feasible
Any breach	Document internally	Immediately
Retain records	24 months	-

---

Action Items

Priority	Action	Owner
High	Appoint Privacy Officer	Leadership
High	Update privacy policy	Privacy Officer
High	Execute Vapi BAA	Legal
Medium	Document access request procedure	Privacy Officer
Medium	Document complaint procedure	Privacy Officer
Low	Implement automated retention purge	Engineering

---

Next Steps

• PHIPA Requirements →
• SOC 2 Type II →