We gathered a few resources for you to stay up to date on privacy and…
PIPEDA: A Company’s New Responsibility in Storing Personally Identifiable Information
What is PIPEDA?
In Canada, most legal obligations pertaining to cybersecurity can be found in one of the privacy laws. The principal law is the Personal Information Protection and Electronic Documents Act (PIPEDA), which became law on April 13th, 2000 and came into full effect on January 1st, 2004 after a two-stage implementation. The legislation not only covers the ways data should be safely stored in the digital world, but also how organizations must collect, use and disclose personal information in the course of commercial activities.
Related post: How is PIPEDA Enforced?
In PIPEDA, ‘personal information’ or Personally Identifiable Information (PII) is defined as information about an identifiable individual such as age, name, marital status, educational level, e-mail addresses, ID numbers, income, ethnic origin, blood types, employee files, credit records, loan records, medical records, opinions, evaluations, purchases, height, weight, fingerprints, voiceprints, and so on.
The objective of the law is to balance the need for organizations to use data for legitimate business purposes, and individuals’ right to privacy.
Simultaneously, by incorporating and making the provisions of the Canadian Standard Association’s Model Code mandatory for the Protection of Personal Information, the government aimed to reassure the European Union, which declared the law adequate in the early 2000s.
Does PIPEDA apply to your organization?
PIPEDA applies to:
- Federal works, undertakings or businesses, no matter where they are located (e.g. banks, radio and television stations, inter-provincial trucking, airports and airlines, railways, telecommunication companies such as internet service providers, etc.)
- Organizations engaged in commercial activities that involve inter-provincial or international personal information flows – in this case, the organization has to comply with PIPEDA for all transactions pertaining to these flows.
- Organizations operating in provinces that do not have a substantially similar private sector privacy law. The Commissioner has declared that British Columbia, Alberta, Quebec, and, in matters relating to health care, Ontario, have substantially similar legislation. As a consequence, companies operating within these provinces (or within the health sector in Ontario) would obey provincial legislation, except for transactions involving inter-provincial or international personal information flows.
- Organizations in the Northwest Territories, Yukon and Nunavut
If your company operates in more than one province, you may have to comply with more than one statute.
For instance, if your organization operates in British Columbia and Alberta, you will have to comply with both statutes. In addition, if you are exchanging data between your two locations or with a customer located in a different province, you will have to obey PIPEDA for this exchange. Examples include selling a mailing list from one province to another or sending customer data to a loyalty program in another jurisdiction.
3 Facts About PIPEDA
A Periodic Review Every 5 Years
According to s. 29, PIPEDA has to be reviewed every five years by the committee of the House of Commons designed for that purpose.
This means that your cybersecurity obligations may be altered to reflect new technologies and threats. Compliance requires a proactive attitude and an information security framework that is constantly redesigned based on new legal developments. Flexibility and awareness are key to evolve your cybersecurity to stated requirements.
Digital Privacy Act
The Digital Privacy Act (formerly known as Bill S-4), received Royal Assent in June 2015 and amends PIPEDA in significant ways. The changes pertaining to breaches of security safeguards (data breaches) are still to come into force, once the necessary regulations are put in place.
- The Privacy Commissioner can now:
- enter into compliance agreements to ensure the application of PIPEDA.
- make public any information that comes to his knowledge in the performance or exercise of his duties or powers under the Act, if it is in the public interest.
- The creation of data breach notification provisions and recordkeeping.
The concept of ‘reasonableness’ is prominent across PIPEDA and organizations are required to perform many contextual analyses to determine whether their practices are compliant. For instance, the Safeguard principle states that an organization must adopt security safeguards that are appropriate for the sensitivity of the personal information held.
Watch our webinar “The Developing World of Cyber Litigation and Compliance” to learn more about the role of ‘reasonableness’ in cybersecurity laws.
What future for PIPEDA?
Experts question whether PIPEDA will meet the new European standards of the General Data Protection Legislation, which comes into effect on May 25, 2018. It’s very likely that we will lose the adequacy status unless we make substantial changes to PIPEDA, in addition to the mandatory breach requirements that are coming into force in 2018 (regulations for applications). Many reports have been presented to the Parliament pointing out to many gaps.
Regardless of the EU-US Privacy shield, more will have to be done.