Privacy and data security are becoming an area of significant concern for both businesses and individuals. It is important you understand the laws and your obligations in this area to reduce and mitigate risks.
Overview of the Privacy Regime in Canada
The Personal Information Protection and Electronic Documents Act, SC 2000, c 5 (PIPEDA) is Canada’s federal privacy law for private sector businesses. It sets out the ground rules for how businesses must handle personal information.
PIPEDA requires businesses to obtain a person’s consent when they collect, use or disclose personal information in the course of a commercial activity.
Commercial activity is defined as “any particular transaction, act, or conduct, or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists” [s.2(1)]. What constitutes commercial activity depends on the facts. For example, a court-appointed trustee-in-bankruptcy who collects personal information to administer a bankruptcy was found to engage in commercial activity because it received remuneration for administering the bankruptcy [PIPEDA case summary 2006-336]. Similarly, a non-profit daycare that was subsidized by a municipal government was found to engage in commercial activity because it received payment for child care services [PIPEDA case summary 2005-309].
Some organizations may be exempt from PIPEDA in provinces that have enacted their own privacy legislation that is substantially similar to PIPEDA. To date, Quebec, Alberta and B.C. have enacted provincial privacy legislation that is deemed substantially similar to PIPEDA. Nevertheless, PIPEDA continues to apply to international and inter-provincial transfers of personal information by private-sector businesses in those provinces.
Personal information is defined as “information about an identifiable individual” [s.2(1)]. This includes both factual and subjective information about a person. Factual personal information includes information such as a person’s name, address, phone number, email address, ID numbers, and more sensitive information such as credit card information and financial information. Subjective personal information includes information such as a person’s opinions, evaluations and comments. Canadian courts have interpreted personal information so broadly that it also includes information that does not alone identify an individual but when combined with other information, does identify an individual.
PIPEDA’s 10 Fair Information Principles
Businesses subject to PIPEDA must follow a code for the protection of personal information. The code consists of 10 fair information principles that are set out in Schedule 1 of PIPEDA.
In addition to requirements around how to collect personal information, the fair information principles require businesses to appoint a chief privacy officer who is responsible for the business’ compliance with PIPEDA, make their personal information handling policies publicly available, and allow individuals access to their personal information.
The fair information principles also require businesses to adopt security safeguards appropriate to the sensitivity of the information. For example, more robust security measures must be put in place to protect sensitive personal information such as financial information and medical records whereas less stringent security measures may be adopted to protect basic personal information such as name and email address.
Compliance Strategies for Businesses
The following six strategies will help businesses comply with their obligations under PIPEDA.
Develop a data breach response plan that complies with PIPEDA’s new breach reporting requirements.
On November 1, 2018, PIPEDA’s new mandatory breach recording and record-keeping requirements came into effect. These new provisions impose requirements on businesses to keep track of every “breach of security safeguards” and report significant ones to the Office of the Privacy Commissioner of Canada and individuals affected by the breach. In order to comply with these requirements, businesses should develop a data breach response plan, which acts as the company’s “playbook” in the event of a data breach.
Adopt appropriate security measures and ensure data security is up-to-date. Businesses should adopt security measures that are appropriate to the sensitivity of the personal information. Businesses should also ensure that all data security is up-to-date. This may include, for example, ensuring all critical security patches are applied as soon as possible or within a reasonable period of time.
Obtain express consent whenever you can. While PIPEDA allows businesses to rely on an individual’s implied consent to the collection, use and disclosure of personal information in appropriate circumstances, businesses should nevertheless obtain an individual’s express, written consent where possible and maintain a record of that consent in order to avoid any ambiguity in the consent process.
Conduct a periodic review of your personal information handling practices and policies. Businesses should review their privacy policies and personal information handling practices annually to ensure they are up-to-date or make any amendments as necessary.
In the age where privacy breaches are splashed across the media, it is important for businesses, both big and small, to ensure they have appropriate privacy practices in place. This not only complies with the law but also demonstrates to clients and customers that you care about the personal data they entrust you with.
The information provided on this page is intended to provide general information. The information does not take into account your personal situation and is not intended to be used without consultation from accounting and financial professionals. Allan Madan and Madan Chartered Accountant will not be held liable for any problems that arise from the usage of the information provided on this page.