In Canada, consumer data is currently protected under a federal law known as the Personal Information Protection and Electronic Documents Act, or PIPEDA, which governs the collection, use, and disclosure of all personally identifiable information (PII) gathered in commercial activities.

PII includes, but is not limited to: name, ID numbers, income details, credit records, medical history, address, ethnic origin, political affiliations and beliefs, education, employment history, and more. PII excludes any business information needed to conduct work, such as employee names, titles, or business addresses, phone numbers, or emails.

Key points of PIPEDA include:

• Organizations are responsible for all personal information in their custody.
• Personal information may only be collected, used, or disclosed by an organization with the express knowledge and consent of the individual, with limited exceptions as specified by the legislation.
• Personal information must be protected from theft, unauthorized access, or disclosure by adequate safeguards.
• Information about an organization’s privacy policies and practices must be readily available to individuals upon request.

PIPEDA applies to all private sector organizations and federal works, undertakings or businesses (FWUBs) throughout Canada, regardless of the technology used. Private sector organizations include all privately-owned or managed corporations, partnerships, or other businesses—including your small business.

Compliance with PIPEDA is overseen by a federal regulator known as the Office of the Privacy Commissioner of Canada (OPC). The OPC takes an ombudsman approach to the Act, in that it investigates and handles data security complaints, but has no power to order compliance or levy fines.

While PIPEDA sets national standards for privacy practices, Alberta, British Columbia, and Quebec have enacted their own comprehensive private sector privacy legislations known as:

• Alberta: Personal Information Protection Act (PIPA), overseen by the Office of the Information and Privacy Commissioner of Alberta
• British Columbia: Personal Information Protection Act (PIPA), overseen by the Office of the Information and Privacy Commissioner for British Columbia
• Quebec: Act Respecting the Protection of Personal Information in the Private Sector, overseen by the Commission d’acces a l’information du Quebec

The above laws have been deemed “substantially similar” to PIPEDA and are considered equivalent in terms and protection. They will respond in place of PIPEDA to all provincially regulated private sector organizations, including private businesses, non-profit organizations, trade unions, and self-governing professions doing business within their respective provinces.

However, PIPEDA still operates in provinces without a “substantially similar” private sector privacy legislation and continues to apply in Alberta, British Columbia, and Quebec for all:

• Interprovincial and international transactions involving the cross-border transfer of personal information in the course of commercial activities (e.g. sending a mailing list or other client data from one province to another)
• Federally regulated industries or workplaces or federal works, undertakings or businesses, or FWUBs (e.g. banks, telecommunications and transportation companies)

Individuals and organizations that are considered “health information custodians”, such as physicians, nurses, and hospitals, are exempt from PIPEDA in provinces with specific health information privacy laws that have also been deemed “substantially similar” to federal legislation.

These provinces include:

• New Brunswick: Personal Health Information Privacy and Access Act (PHIPAA)
• Newfoundland and Labrador: Personal Health Information Act (PHIA)
• Nova Scotia: Personal Health Information Act (PHIA)
• Ontario: Personal Health Information Protection Act (PHIPA)

Nonetheless, organizations that operate inter-provincially and internationally must comply with both provincial and federal privacy legislation. Additionally, several other Canadian provinces have health-specific laws that have not been deemed “substantially similar” to PIPEDA, in which case both the provincial laws and the PIPEDA would apply.

For a full list of provincial and territorial laws and who is responsible for their oversight, click here.

There are numerous instances in which more than one privacy law could apply to records collected by an organization, though this must be determined on a case-by-case basis. For more information regarding the application of PIPEDA and provincial privacy legislations, please consult the following resources from the OPC:

• Provincial and territorial privacy laws and oversight
• Provincial laws that may apply instead of PIPEDA
• Questions and Answers regarding the application of PIPEDA, Alberta and British Columbia’s Personal Information Protection Acts
• Find the right organization to contact about your privacy issue

As of November 1, 2018, all organizations—including small businesses—subject to PIPEDA must:

• Report to the Privacy Commissioner of Canada any time a “breach of security safeguards” poses a real risk of significant harm to individuals;
• Notify affected individuals about those breaches; and
• Keep accurate and up-to-date records of ALL breaches, even if there is no risk of significant harm for a minimum of 24 months after the day the breach occurred.

PIPEDA defines a “breach of security safeguards” as: the loss of, unauthorized access to, or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards or from a failure to establish those safeguards.

Keep in mind: this definition includes unauthorized access that doesn’t necessarily lead to disclosure. That means any instance of someone hacking into your systems and obtaining personal information, like a ransomware or formjacking attack, would be considered a breach under PIPEDA.

Breaches must be reported as soon as feasible once discovered—it doesn’t matter how many people are impacted. Whether a breach affects one person or 100, you’ll still need to report as long as there’s a real risk of significant harm, such as damage to one’s professional or personal reputation, financial loss, identity theft, physical harm, property damage, and more.

If a breach is not reported to the OPC or affected individuals, your records must contain a rationale for doing so.

For more information on PIPEDA’s mandatory breach reporting requirements, please consult the following federal resources:

• Breach of Security Safeguards Regulations
• What you need to know about mandatory reporting of breaches of security safeguards

You must record each breach of safeguards involving personal information, whether or not the breach results in a significant risk of harm. At minimum, all records should include:

• The date or estimated date/period of the breach;
• A general description of the circumstances of the breach and, if known, the cause;
• A general description of the nature and type of the personal information involved in the breach (personal details do not need to be included unless absolutely necessary);
• The number of individuals affected or, if unknown, the approximate number;
• Whether or not the breach was reported to the Privacy Commissioner of Canada, individuals were notified, and the steps taken to do so.

Remember, all records must be kept for up to 24 months (two years) following the initial discovery of a security incident, in case breaches are revealed down the line. Moreover, the Privacy Commissioner may ask you to provide your records at any time or they may be called into legal proceedings.

All organizations that collect personal information are required to disclose a breach of security safeguards. This principle applies even in cases where personal information has been transferred to a third-party for processing (i.e. a cloud service provider, or CSP for short) and a breach occurs while the personal information is with the processor. However, depending on the nature of the business relationship between the primary organization and the third-party processor, reporting requirements may need to be assessed on a case-by-case basis.

To ensure there are no misconceptions surrounding accountability, there should be sufficient contractual arrangements in place to address compliance with breach provisions under PIPEDA for all involved parties, including notification and record-keeping requirements. Seek legal counsel as needed.

To learn more about how cloud computing complicates jurisdictional privacy laws, read our whitepaper: The Cloud: Not Just a Place to Daydream Anymore.

Disregard—both intentional and unintentional—for PIPEDA’s mandatory breach reporting, notification, and record-keeping requirements could lead to fines and penalties of up to $100,000 per violation. Failure to establish security safeguards in the first place can also expose businesses to penalties.

In addition, the following offences could lead to criminal prosecutions under PIPEDA:

• Purposely destroying information after receiving a request to review it;
• Vengeful or disciplinary behaviour towards employees who attempt to follow PIPEDA;
• Stalling or holding up investigations after a complaint is lodged.

Keep in mind: regulatory fines and penalties will be levied on top of existing breach remediation costs, such as forensic investigation, client notification, credit monitoring, legal fees, and more.

To learn more about the cost of a data breach, read: The Cybersecurity Stats You Should Know in 2020.