New Privacy Obligations in Canada
As of November 1, any organization that manages personal information and to which the Personal Information Protection and Electronic Documents Act (PIPEDA) applies are subject to new obligations for data breach and record keeping.
The Act and the Protection of Personal Information
First, let’s establish what is considered personal information. Personal information is any information that, when taken alone or in combination with other personal information, makes an individual identifiable by name or other key facts such as an individual’s profile or behavior).
The Personal Information Protection and Electronic Documents Act (PIPEDA) applies to all organizations, unless an exception applies, that collect, use or disclose personal information in the course of their commercial activities, and it enacts all the obligations and practices the organizations must comply with in this respect.
It should be noted that Quebec has a law that is deemed substantially similar to PIPEDA: the Act respecting the protection of personal information in the private sector (the "Quebec Act"). Thus, PIPEDA applies to the processing of personal information carried out in the context of activities outside Quebec or interprovincial activities of the organization, whereas only the Quebec Act applies to its activities within the province.
Security measures to protect personal information
PIPEDA provides that "personal information shall be protected by security safeguards appropriate to the sensitivity of the information". (Principle 4.7 of Schedule 1 of PIPEDA).
The sensitivity of an information must be determined by considering the type of information and the context in which it can be used. The potential prejudice that a person may suffer in the event of the information’s disclosure is a factor to consider when determining the degree of sensitivity. For example, generally an email address will not have the same degree of sensitivity as a credit card number. Of course, the more sensitive an information is, the more important the security measures need to be to protect it. The choice of security measures to be taken will therefore vary according to the degree of the data’s sensitivity, but also according to the size of the database, the amount of personal information collected per individual, the form in which it is kept and the methods used to keep it.
PIPEDA states that "security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. Organizations shall protect personal information regardless of the format in which it is held ". (Principle 4.7.1 of Schedule 1 of PIPEDA). The information must be protected, whether it is kept physically solely, in a cloud or otherwise.
Protection methods should include:
- Appropriate hardware, such as restricting access to premises used for storage where servers are located;
- Administrative measures, such as authorizations issued to individuals performing specific duties requiring access to information; and
- Technical measures, for example the use of passwords and encryption.
Reporting of data security breach: new obligations
Since November 1st, organizations subject to the PIPEDA now have obligations when there is a breach of data security safeguards. More specifically, in the case of such an infringement, the organization that is responsible for the processing of personal information must:
For all breaches of security safeguards:
- Keep a record of all breaches of security safeguards for two years. This register must enable the Commissioner’s Office to verify the organization's compliance with its reporting and notification obligations and must, as a minimum, contain the date and a general description of the breach, the nature of the information referred to and the fact that a statement to the Commissioner’s Office and a notification to individuals have or have not been made.
In the event of a security breach where it is reasonable to believe that the breach creates a “real risk of significant harm;” to an individual:
- Report the breach to the Office of the Privacy Commissioner.
Note that this declaration must be made, regardless of the number of individuals concerned, and it can be made by using the form available on the Commissioner’s Office website.
- Notify all individuals whose personal information is affected by the security breach. This notice must be apparent and given directly to the individual, with some exceptions, and as soon as possible after the organization has determined that the breach of security entails a real risk of significant harm.
- Notify any other organization that is able to reduce the risk of prejudice that may result from this breach.
The following will generally be considered a "significant harm": bodily injury, humiliation, damage to reputation, identity theft, adverse effect on the credit file, loss of business opportunity, etc. The degree of sensitivity of the information covered by the security breach is obviously to be taken into account in the assessment of the harm seriousness.
Complaint and sanctions
The Privacy Commissioner's Office is notably responsible for ensuring PIPEDA compliance and can as such receive complaints, intervene through a process of investigation and issue compliance reports. If the Commissioner's Office if of the view that an organization contravenes its obligations regarding data security measures, it may report this information to the Attorney General of Canada who may take any action deemed appropriate. The organization could then, in addition to having to rectify its practices, be fined.
It is interesting to note that the coming into force of these Canadian provisions is in line with the regime established by the General Data Protection Regulation (GDPR) in Europe, which came into effect last May. We can see therefore, that the privacy principles that were already in place remain here, as elsewhere, but that they become subject to disclosure and record-keeping requirements by organizations. These obligations tend also to be subject to an increasingly coercive nature, which is obviously intended to increase the importance that organizations must attach to the protection of individuals' data.
In short, regardless of their size, all organizations that collect, manage, use and/or retain personal information in Canada are required to comply with all applicable laws regarding the collection, processing and protection of personal information. Should you wish to know more about your privacy obligations or wish to be assisted on this matter, please contact Ms. Sophie Deschênes-Hébert.