This 10-step guide will walk you through the upcoming changes to the Personal Information Protection and Electronic Documents Act (PIPEDA), the factors to consider in being prepared under PIPEDA and other related considerations. This guide is no replacement for targeted legal advice. If you are an organization affected by the changes to PIPEDA, please contact us to determine what you need to do to be prepared and how you can minimize your organization's potential legal exposure. There is no "one size fits all" when it comes to managing compliance with privacy regulation.

The biggest changes, which will be coming into force on November 1, 2018, are:

  1. Mandatory breach reporting to the Office of the Privacy Commissioner (OPC).
  2. Mandatory breach notification to impacted individuals.
  3. Mandatory breach record-keeping.
  4. Financial penalties of up to $100,000 for non-compliance with items 1 to 3.

Background

PIPEDA applies to the collection, use or disclosure of personal information in the course of a commercial activity.1

Personal information includes any factual or subjective information about an identifiable individual. Information will be about an "identifiable individual" when there is a serious possibility that an individual could be identified through the use of that information, alone or in combination with other information. Examples include: email addresses, credit card numbers, name, the contents of a safe deposit box, financial records, biometric records, and information collected through GPS or RFID chips.

A commercial activity is conduct that is of a commercial character (including the selling, bartering or leasing of donor, membership or other fundraising lists).

PIPEDA does not generally apply to:

  • business contact information;
  • information used by an individual for only personal purposes;
  • information used only for journalistic, artistic or literary purpose;
  • information about an employee if it is not used or disclosed in connection with the operation of a federal work, undertaking or business;
  • information handled by municipal, provincial, territorial, or federal governments;
  • municipalities, universities, schools, and hospitals (they are covered by provincial laws); or
  • political parties, political associations, charities or not-for-profits unless they are engaging in commercial activities that are not central to their mandate.

Step 1: Identify What Information You Have

Primary Considerations

  • Identify categories of personal information for which your organization is responsible and which of those fall within the scope of PIPEDA.

    • Not all information falls within the same degree of sensitivity. Consider what information is high-risk. For example, financial and medical records have been considered as very sensitive by the OPC.
  • Was the personal information collected by fair and lawful means?

    • Do you have documentation on why the personal information was collected?
    • Do you have documentation of the individuals' consent?
    • The purpose for which the personal information is being collected must be identified by the organization before or at the time of collection.
    • The collection and use of information must be limited to the identified purpose.
  • Consider whether you need the personal information you are gathering.

    • If not required to fulfill the identified purpose, information should be destroyed, erased or made anonymous.
    • Develop guidelines and implement procedures to govern destruction of personal information.

Other Considerations

  • Does your organization have personal information affected by the legislation in other jurisdictions? For example, if your organization offers goods or services to, or monitors the behaviour of, EU data subjects, the General Data Protection Regulation (GDPR) may apply.

    • Non-compliance with the GDPR can result in administrative fines of up to €20 million or 4% of annual worldwide turnover (whichever is higher).
  • Does your organization have any contractual obligations with third parties should there be any incident affecting any category of confidential information?
  • If a consumer or individual calls and requests access to their information, can you give it to them in a timely manner?
  • Is the personal information as accurate, complete, and up-to-date as possible?

Footnotes

1 With respect to organizations that are not a federal work, undertaking or business, PIPEDA does not apply with respect to the collection, use or disclosure of personal information occurring within British Columbia, Alberta or Québec, as each of those provinces have privacy legislation that has been deemed substantially similar to PIPEDA. Several other provinces have health information privacy legislation that have been deemed substantially similar to PIPEDA. PIPEDA does not apply to employee information if it is not a federal undertaking, but other provincial legislation may apply.

To view the full article, please click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.