The global regulatory landscape is evolving to keep pace with both an expanding consumer reliance on data-driven services and an increasing number of corporate data breaches. November 1, 2018 marks the date important revisions to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) take effect. In this blog, we discuss these changes and their impact on your business.
PIPEDA was implemented in 2000 as Canada’s federal privacy protection regulation. The law sets standards for how private sector organizations collect, use, and disclose personal information in the course of commercial business. Current PIPEDA standards require organizations to:
- Obtain consent when collecting, using, and disclosing personal information
- Collect information by fair and lawful means
- Have clear, understandable, and readily-available personal information policies
- Supply an individual with a product or a service even if they refuse consent to the collection, use or disclosure of their personal information—unless that information is essential to the transaction
The Office of the Privacy Commissioner (OPC) oversees PIPEDA compliance. Individuals who believe their personal information has been mishandled may complain to the Privacy Commissioner, and the OPC may assess fines of up to $100,000 if an organization is found to be non-compliant.
On November 1, 2018, new rules for mandatory privacy breach notification will take effect. PIPEDA-compliant private sector organizations must report security breaches to the OPC when it’s suspected that the breach creates a “real risk of significant harm” to affected individuals. The OPC defines “significant harm” as “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on a credit record and damage to or loss of property.” Organizations that knowingly violate PIPEDA breach notification requirements may face fines of up to $100,000 per violation.
Breach Notification Requirements
If your organization has a security breach, it must report the following information to the OPC:
- A description of the circumstances of the breach and, if known, the cause
- The day or period during which the breach occurred or, if neither is known, the approximate period
- A description of the personal information that is the subject of the breach (to the extent known)
- The number of individuals affected by the breach if known (or approximate number)
- A description of the steps taken to reduce the risk of harm to affected individuals or to mitigate that harm
- A description of the steps that the organization has taken or intends to take to notify affected individuals
- The name and contract information of a person who can answer, on behalf of the organization, the Commissioner’s questions about the breach
Similar information must be provided to the affected individuals, and PIPEDA requires you to keep breach notification documentation for at least 24 months after the date of the breach.
In addition to taking proactive measures to review your information storage, management and disposition practices, make sure your company has a written breach response plan. It should include procedures for detecting, remediating, and documenting incidents that result in the unauthorized access of personal data.
For additional guidance on complying with PIPEDA’s new requirements and fortifying your organization’s breach preparedness, please contact us by phone or complete the form on this page.
FileBank offers records management and data protection solutions to businesses throughout Canada.