PIPEDA Legislation: Why the Digital Privacy Act Changes Everything
The Digital Privacy Act (DPA), which was passed earlier this year, is a welcome step forward in modernizing privacy laws in Canada.
“Canadians are concerned about many privacy issues,” said Daniel Therrien, Privacy Commissioner of Canada in a priv.gc.ca story.
A 2015 survey commissioned by the Office of the Privacy Commissioner of Canada found that nine in 10 Canadians are concerned about their privacy. The research showed that data breaches, identity theft, digital privacy and warrantless access to personal data are top of mind.
The DPA amends the Personal Information Protection and Electronic Documents Act (PIPEDA), which is Canada’s federal law that governs how private sector organizations handle private and confidential information. Federally- and provincially- regulated organizations such as banks, airlines, telecommunications companies, retail stores, publishing companies, service companies, and manufacturers, are all affected.
PIPEDA legislation has not been amended since it was passed in 2000.
The DPA introduces a new breach notification requirement and sets rules for how personal information can be collected, used and disclosed in business activities.
The changes raise the stakes for non-compliance but also expand the permissible scope of information sharing, said one industry observer.
What are some of the ways the legislation protects personal information?
- Mandatory breach notification: Organizations will now have to inform consumers and the Privacy Commissioner of Canada when personal information has been lost or stolen. The new act will require notification if the data security breach could “create a real risk of significant harm” to individuals. Organizations must also maintain and provide records of breaches to the privacy commissioner upon request. Notification rules will come into force once regulations outlining data breach requirements are completed.
- Greater non-compliance consequences: The PIPEDA amendments make it a criminal offence for an organization to knowingly fail to comply with notification and record-keeping requirements following a data breach. Companies that do could face fines up to $100,000.
- PIPEDA compliance: The DPA enhances the powers of the Canadian Privacy Commissioner, which can form ‘compliance agreements’ with organizations that have committed or may commit a breach of PIPEDA in order to ensure compliance.
- Consent regulations: An individual’s consent will be valid only if the person understands what they’re consenting to in terms of providing personal information online. “The upshot is that organizations will need to simplify their consent documentation,” explained an insiderprivacy.com post.
- Protection procedures: Under PIPEDA, companies must have procedures in place to protect personal information from unauthorized access. This would include document retention policies and destruction procedures, which ensure personal information that is no longer needed is securely destroyed.“Too many privacy breaches are still the result of simple but careless actions, such as leaving documents containing personal information in garbage containers and recycling bins or stored on discarded electronic equipment,” said Kristjan Backman, chair of NAID-Canada (National Association for Information Destruction). According to the Office of the Privacy Commissioner of Canada: “Security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. Organizations shall protect personal information regardless of the format in which it is held.”
Find out what it takes to stay compliant with PIPEDA legislation.