All About PIPEDA: How do privacy laws affect my business?
January 20, 2021
From intellectual property to trade secrets to health records, all organizations, regardless of size or trade, collect, store, and transmit vast amounts of confidential data. But do all business owners understand what it means to safeguard data? And more importantly, do they understand what happens if they fail?
With stricter privacy laws on the horizon—Canada is set to introduce a new legislation that will put even the EU’s GDPR to shame—it’s a good idea to refresh your responsibilities when it comes to protecting client information. To help you out, we’ve put together a guide on what your business should know about Canada’s privacy regulations. Keep reading to learn more!
Disclaimer: The information presented herein is general in nature and provided for educational purposes only. It is not exhaustive nor is it a substitute for legal or insurance advice.
Overview of PIPEDA:
How is consumer data protected?
In Canada, consumer data is currently protected under a federal law known as the Personal Information Protection and Electronic Documents Act, or PIPEDA, which governs the collection, use, and disclosure of all personally identifiable information (PII) gathered in commercial activities.
PII includes, but is not limited to: name, ID numbers, income details, credit records, medical history, address, ethnic origin, political affiliations and beliefs, education, employment history, and more. PII excludes any business information needed to conduct work, such as employee names, titles, or business addresses, phone numbers, or emails.
Key points of PIPEDA include:
- Organizations are responsible for all personal information in their custody.
- Personal information may only be collected, used, or disclosed by an organization with the express knowledge and consent of the individual, with limited exceptions as specified by the legislation.
- Personal information must be protected from theft, unauthorized access, or disclosure by adequate safeguards.
- Information about an organization’s privacy policies and practices must be readily available to individuals upon request.
PIPEDA applies to all private sector organizations and federal works, undertakings or businesses (FWUBs) throughout Canada, regardless of the technology used. Private sector organizations include all privately-owned or managed corporations, partnerships, or other businesses—including your small business.
Compliance with PIPEDA is overseen by a federal regulator known as the Office of the Privacy Commissioner of Canada (OPC). The OPC takes an ombudsman approach to the Act, in that it investigates and handles data security complaints, but has no power to order compliance or levy fines.
Does PIPEDA apply throughout Canada?
While PIPEDA sets national standards for privacy practices, Alberta, British Columbia, and Quebec have enacted their own comprehensive private sector privacy legislations known as:
- Alberta: Personal Information Protection Act (PIPA), overseen by the Office of the Information and Privacy Commissioner of Alberta
- British Columbia: Personal Information Protection Act (PIPA), overseen by the Office of the Information and Privacy Commissioner for British Columbia
- Quebec: Act Respecting the Protection of Personal Information in the Private Sector, overseen by the Commission d’acces a l’information du Quebec
The above laws have been deemed “substantially similar” to PIPEDA and are considered equivalent in terms and protection. They will respond in place of PIPEDA to all provincially regulated private sector organizations, including private businesses, non-profit organizations, trade unions, and self-governing professions doing business within their respective provinces.
However, PIPEDA still operates in provinces without a “substantially similar” private sector privacy legislation and continues to apply in Alberta, British Columbia, and Quebec for all:
- Interprovincial and international transactions involving the cross-border transfer of personal information in the course of commercial activities (e.g. sending a mailing list or other client data from one province to another)
- Federally regulated industries or workplaces or federal works, undertakings or businesses, or FWUBs (e.g. banks, telecommunications and transportation companies)
Do PIPEDA and other provincial privacy laws apply to private health information?
Individuals and organizations that are considered “health information custodians”, such as physicians, nurses, and hospitals, are exempt from PIPEDA in provinces with specific health information privacy laws that have also been deemed “substantially similar” to federal legislation.
These provinces include:
- New Brunswick: Personal Health Information Privacy and Access Act (PHIPAA)
- Newfoundland and Labrador: Personal Health Information Act (PHIA)
- Nova Scotia: Personal Health Information Act (PHIA)
- Ontario: Personal Health Information Protection Act (PHIPA)
Nonetheless, organizations that operate inter-provincially and internationally must comply with both provincial and federal privacy legislation. Additionally, several other Canadian provinces have health-specific laws that have not been deemed “substantially similar” to PIPEDA, in which case both the provincial laws and the PIPEDA would apply.
For a full list of provincial and territorial laws and who is responsible for their oversight, click here.
Which law applies to my business?
There are numerous instances in which more than one privacy law could apply to records collected by an organization, though this must be determined on a case-by-case basis. For more information regarding the application of PIPEDA and provincial privacy legislations, please consult the following resources from the OPC:
What happens if my business experiences a privacy breach?
As of November 1, 2018, all organizations—including small businesses—subject to PIPEDA must:
- Report to the Privacy Commissioner of Canada any time a “breach of security safeguards” poses a real risk of significant harm to individuals;
- Notify affected individuals about those breaches; and
- Keep accurate and up-to-date records of ALL breaches, even if there is no risk of significant harm for a minimum of 24 months after the day the breach occurred.
What’s considered “breach of security safeguards”?
PIPEDA defines a “breach of security safeguards” as: the loss of, unauthorized access to, or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards or from a failure to establish those safeguards.
Keep in mind: this definition includes unauthorized access that doesn’t necessarily lead to disclosure. That means any instance of someone hacking into your systems and obtaining personal information, like a ransomware or formjacking attack, would be considered a breach under PIPEDA.
Breach Reporting Requirements:
How soon should I report a breach?
Breaches must be reported as soon as feasible once discovered—it doesn’t matter how many people are impacted. Whether a breach affects one person or 100, you’ll still need to report as long as there’s a real risk of significant harm, such as damage to one’s professional or personal reputation, financial loss, identity theft, physical harm, property damage, and more.
If a breach is not reported to the OPC or affected individuals, your records must contain a rationale for doing so.
For more information on PIPEDA’s mandatory breach reporting requirements, please consult the following federal resources:
What kind of breach records do I have to keep?
You must record each breach of safeguards involving personal information, whether or not the breach results in a significant risk of harm. At minimum, all records should include:
- The date or estimated date/period of the breach;
- A general description of the circumstances of the breach and, if known, the cause;
- A general description of the nature and type of the personal information involved in the breach (personal details do not need to be included unless absolutely necessary);
- The number of individuals affected or, if unknown, the approximate number;
- Whether or not the breach was reported to the Privacy Commissioner of Canada, individuals were notified, and the steps taken to do so.
Remember, all records must be kept for up to 24 months (two years) following the initial discovery of a security incident, in case breaches are revealed down the line. Moreover, the Privacy Commissioner may ask you to provide your records at any time or they may be called into legal proceedings.
Who is responsible for reporting the breach?
All organizations that collect personal information are required to disclose a breach of security safeguards. This principle applies even in cases where personal information has been transferred to a third-party for processing (i.e. a cloud service provider, or CSP for short) and a breach occurs while the personal information is with the processor. However, depending on the nature of the business relationship between the primary organization and the third-party processor, reporting requirements may need to be assessed on a case-by-case basis.
To ensure there are no misconceptions surrounding accountability, there should be sufficient contractual arrangements in place to address compliance with breach provisions under PIPEDA for all involved parties, including notification and record-keeping requirements. Seek legal counsel as needed.
To learn more about how cloud computing complicates jurisdictional privacy laws, read our whitepaper: The Cloud: Not Just a Place to Daydream Anymore.
What happens if I don't report a breach?
Disregard—both intentional and unintentional—for PIPEDA’s mandatory breach reporting, notification, and record-keeping requirements could lead to fines and penalties of up to $100,000 per violation. Failure to establish security safeguards in the first place can also expose businesses to penalties.
In addition, the following offences could lead to criminal prosecutions under PIPEDA:
- Purposely destroying information after receiving a request to review it;
- Vengeful or disciplinary behaviour towards employees who attempt to follow PIPEDA;
- Stalling or holding up investigations after a complaint is lodged.
Keep in mind: regulatory fines and penalties will be levied on top of existing breach remediation costs, such as forensic investigation, client notification, credit monitoring, legal fees, and more.
To learn more about the cost of a data breach, read: The Cybersecurity Stats You Should Know in 2020.
Amendments to PIPEDA:
What are the proposed changes to PIPEDA?
Increasing digitization, countless cyberattacks in recent years, and the outbreak of COVID-19 have brought the importance of online safety to the forefront. Consequently, the federal government has proposed a sweeping overhaul of PIPEDA to give Canadians greater control, transparency, and input into how their data is used.
If passed, Bill C-11, or the Digital Charter Implementation Act, 2020 (DCIA) would replace PIPEDA altogether with the Consumer Privacy Protection Act (CPPA). The CPPA would introduce more stringent regulations in line with the EU’s GDPR, requiring organizations to implement a privacy management program and obtain explicit informed consent prior to data collection. The CPPA would also enhance the OPC’s enforcement role and could impose crippling penalties of up to $25 million for companies that fall short of the requirements.
It will be quite some time before the DCIA makes its way into law, if it’s even passed at all. But with more business being conducted online than ever before, stricter regulations—and penalties—are inevitable. It is critical for all organizations, large and small, to reevaluate their cybersecurity posture and take a more disciplined and proactive approach to privacy management.
We know it’s hard to keep up with restrictions in constant flux. And while large organizations may have the resources to outsource their cybersecurity needs, SMBs are often ill-equipped to do the same. How can you protect yourself from cyber exposure? How do you know what protocols are right for your business? And how can you ensure compliance with changing data security laws?
For a list of standard cybersecurity measures, read: COVID-19: How to Keep Employees Cyber-Safe While Working From Home. But for more comprehensive guidance, consult a licensed broker—like PROLINK.
With nearly 40 years of experience, we’ve seen it all—privacy breaches, laws, amendments, and more. PROLINK can help you plan and protect with a tailored cyber risk management approach and a comprehensive Data Security & Privacy Breach Insurance policy unique to your business needs.
To learn more about your cyber exposures, connect with PROLINK today or watch our video: What kind of businesses don’t need Cyber Insurance?
PROLINK’s blog posts are general in nature. They do not take into account your personal objectives or financial situation and are not a substitute for professional advice. The specific terms of your policy will always apply. We bear no responsibility for the accuracy, legality, or timeliness of any external content.