Answer ... The primary statute that governs data protection in the private sector is the federal Personal Information Protection and Electronic Documents Act (PIPEDA), which regulates the collection, use and disclosure of personal information, except in those provinces that have enacted legislation that is substantially similar to PIPEDA. Currently, British Columbia, Alberta and Quebec have enacted substantially similar legislation. However, PIPEDA will generally apply to businesses that disclose personal information across provincial borders or to a destination outside of Canada. Certain additional legislation in respect of specific sectors, such as with respect to personal health information, has also been enacted by some provinces. A separate regulatory regime applies to public bodies at both the federal and provincial level.
Under PIPEDA, businesses that collect personal information are responsible for the information under their control (including information transferred to third parties), and must designate an individual to be accountable for the businesses compliance with PIPEDA. In addition, businesses must:
- obtain informed consent to the collection, use and disclosure of personal information;
- protect personal information in their possession against loss, theft or unauthorised access, disclosure, copying, use or modification; and
- limit the collection of personal information to that which is necessary for the applicable purpose.
PIPEDA also requires businesses to give notice to the privacy commissioner and to affected individuals of any breach of security safeguards involving personal information under its control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual.
Answer ... PIPEDA requires businesses to maintain security safeguards which protect personal information, regardless of the format in which it is held, against loss or theft, as well as unauthorised access, disclosure, copying, use, or modification. Safeguards may include:
- physical measures, such as locked storage and restricted access;
- organisational measures, such as limiting access to a ‘need-to-know’ basis; and
- technological measures, such as the use of passwords and encryption.
Canada’s Anti-spam Law contains provisions which govern the installation of software in the course of commercial activities. These provisions are aimed at viruses and spyware being installed by installers within Canada.
In addition, the federal Office of the Superintendent of Financial Institutions and the Canadian Securities Administrators each provide guidance to address cybersecurity risks for organisations which fall under their jurisdiction.