Is MIDAS PIPEDA compliant?

What is PIPEDA?

The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada's federal privacy law for the private sector. It sets out how organizations may collect, use, and disclose personal information in the course of commercial activity, and is built around ten fair information principles covering matters such as consent, accountability, safeguards, and an individual's right to access their information. PIPEDA is administered by the Office of the Privacy Commissioner of Canada (OPC).

Some Canadian provinces, including Quebec, Alberta, and British Columbia, have their own privacy laws that have been deemed "substantially similar" to PIPEDA. Where those apply, they do so in place of PIPEDA for activity within that province, but the approach we describe below holds good across all of them.

How PIPEDA applies to MIDAS

MIDAS is a room booking and resource scheduling tool. When you use MIDAS, you decide what personal information, if any, is entered into your booking system. You collect that information from the individuals concerned, and you determine how it is used. In relation to that information, the responsibility under PIPEDA rests with you; we simply host and process it on your behalf so that we can provide the MIDAS service to you.

PIPEDA recognises that organizations often transfer personal information to a third party for processing, and requires that such transfers be governed by contractual means that provide a comparable level of protection while the information is being processed. We meet this expectation in the following ways:

• We process the personal information held within your MIDAS system only on your behalf, and only in order to provide the MIDAS service to you.
• We do not sell that personal information, and we never have.
• We apply appropriate safeguards to protect the personal information we host on your behalf, as described in our Software Privacy Policy.
• For "cloud-hosted" systems, the processing relationship is already governed by our Data Processing Agreement, which provides exactly the kind of contractual protection PIPEDA expects when personal information is transferred for processing.

You can choose where your live MIDAS database resides from our available data center locations (currently the EU, US East Coast, or US West Coast). Wherever the data is hosted, the contractual safeguards described above continue to apply.

How we handle personal information generally, and the rights available to individuals, is described in our Software Privacy Policy and our GDPR Statement. Individuals can request a copy of the personal data we hold on them at any time using our self-service Subject Access Request tool.