Canada’s data privacy law, the Personal Information Protection and Electronic Documents Act, or PIPEDA, governs how private Canadian companies are responsible for the collection, use and disclosure of personally identifiable information (PII) during the course of their regular business activities. PIPEDA fist came into law in 2000 and must be reviewed by parliament every 5 years. The last update to PIPEDA came into law on November 1, 2018, and for the first time, it included regulations for disclosing a cyber security breach.
Every Canadian company under PIPEDA has a responsibility for ensuring that it only collects information that it needs to conduct business, that it stores and controls access to that information in a secure fashion, and that it securely destroys that information as soon as it no longer needs to keep it. Organizations must generally obtain an individual's consent when they collect, use, or disclose an individual's personal information. People have the right to access their personal information held by an organization. They also have the right to challenge its accuracy.
PIPEDA is also strict about how that personal information is used. The personal information can only be used for the purposes for which it was initially collected. If an organization wants to use that personal information for another purpose, they must obtain consent again.
PIPEDA also has strong breach notification provisions, meaning that if you have a breach, you have an obligation to report the breach to both the people affected by the breach and Canada’s privacy commissioner. Breaches that must be reported include:
- data breaches that pose a real risk of significant harm, the privacy commissioner and affected individuals will need to be notified.
- an organization may also be required to notify other organizations if they are in a position to protect affected individuals from harm (e.g., credit card companies, financial institutions or credit reporting agencies, if their assistance is necessary for contacting individuals or assisting with mitigating harm)
In addition, private businesses must also do the following:
- maintain records of all data breaches experienced by an organization and provided to the Privacy Commissioner upon request
For those businesses who consider defying the regulations, know that:
- deliberately failing to report a data breach, or deliberately failing to notify an individual as required will be separate offences subject to fines of up to $100,000. In the case of notification to individuals, it will be a separate offence for every individual left without notification of the breach; and
- deliberately failing to keep or destroying data breach records will also be an offence, subject to a fine of up to $100,000.
Should your business be concerned about PIPEDA?
If you are a doing business in Canada, you need to ensure you are compliant with PIPEDA regulations. Canada isn’t the only country with privacy and breach disclosure regulations: more jurisdictions plan to roll out similar laws, making your business financially responsible for breaches. So, no matter where in the world you do business it’s best to make sure you are able to protect your customer data. This way, you’ve prepared your organization for when similar regulations become law in your area.