Introduction to the CPPA
In June 2022, the federal government introduced Bill C-27, which proposes significant updates to Canada's federal private sector privacy framework. Bill C-27 is currently in its second reading in the House of Commons. If passed, Bill C-27 would replace the Personal Information and Electronic Documents Act with the Consumer Privacy Protection Act ("CPPA"). The CPPA imposes several new obligations on private organizations to be aware of.
One of the main features of the CPPA is the requirement for organizations to have a privacy management program ("PMP"). PMPs are also a feature of new provisions in British Columbia's Freedom of Information and Protection of Privacy Act.
CPPA on PMPs
The CPPA requires every organization to implement and maintain a PMP. A PMP includes all the policies, practices, and procedures that comprise an organization's action plan to fulfil its obligations under the CPPA. It may go beyond legislative compliance to help ensure an organization meets its contractual and other privacy and confidentiality commitments.
At the very least, a privacy management program should address how an organization meets its obligations in terms of:
- how the organization protects personal information;
- how individuals can exercise their rights, including how the organization receives and handles requests for access to personal information, complaints, withdrawals of consent, and data porting requests;
- what kind of training and information the organization provides to staff about its policies, practices, and procedures; and
- the development of materials to explain the organization's policies, practices, and procedures.
Towards a PMP Implementation Plan
Your organization should develop an action plan to review the existing pieces of your PMP and identify priorities for further improvements. There are several key concepts in the CPPA that your organization should consider in the PMP process.
a. Appointing a Designated Individual
Your organization must designate at least one individual to be responsible for privacy compliance. That person should be involved with the development and implementation of all policies, practices, and procedures that your organization employs to meet its obligations under the CPPA. They should also be a key member of the incident response team.
b. Providing Access to the Privacy Management Program
Following the CPPA, there will be a greater demand for transparency, from both the public and the Information and Privacy Commissioner. Organizations should ensure that their privacy management program is regularly updated, well-organized, and readily available at all times in preparation for such a request.
c. Service Provider Obligations
If your organization transfers personal information to a service provider in the course of business, you must ensure that the service provider uses equivalent privacy protections. Contract and vendor management will be a significant obligation under CPPA. Your organization should have a process for contract privacy review and approval.
d. Obtaining Valid Consent
CPPA proposes some changes to the requirements for valid consent and establishes statutory exceptions. You should review your organization's procedure to ensure valid consent is obtained, policy on the withdrawal of consent, and any exceptions to consent requirements that your organization might rely on in your privacy management program. Staff should be trained appropriately on this issue.
We will be exploring the changes to consent requirements in the CPPA in a separate blog.
e. Reporting Breaches
Organizations are required to report certain breaches of security safeguards involving personal information to the Information and Privacy Commissioner. Organizations must have an incident reporting process which addresses the requirements to notify and report breaches which give rise to a real risk of significant harm. Your organization must also maintain a record of certain information in respect of breaches, including incidents which are not reported.
f. Information governance / Document management
Organizations must properly protect the information that they retain and securely destroy the information they no longer need. Ensure that your organization implements a system to correctly identify and categorize information, particularly sensitive information, in order to comply with this obligation.
i) Retention and destruction
A record retention and destruction plan is crucial. This will maintain access to the information that your organization needs, while also ensuring that your organization does not retain personal information for longer than permitted under the CPPA and other privacy laws. Failing to destroy information that is no longer needed may exacerbate the scope of a potential security breach and expose your organization to greater liability than necessary.
ii) Internal Access Limitations
Organizations should consider controlling internal access to information in their system. When information is identified and classified properly, organizations can limit internal access, thereby reducing the risk that information may be improperly used or accessed.
g. Security, monitoring and threat assessment
Courts and regulators are increasingly expecting organizations to implement strong security, monitoring and threat assessment measures in respect of sensitive information. This should be an aspect of your PMP. If sensitive information is vulnerable to misuse, including by employees, organizations may be obligated to take steps to diligently detect and respond to threats in a timely manner.
h. Employee Training
Organizations should ensure that all employees receive adequate and regular training on the policies, practices, and procedures that constitute your PMP. All levels of personnel should be familiar with your organization's obligations under the CPPA and how these obligations apply to their job duties and responsibilities.
- The CPPA is coming – and so are new obligations to have a PMP.
- What makes a PMP appropriate depends on your organization's size, functions, and the kind of information it handles.
- There are several things to consider as you draft and implement a PMP for your organization – overlooking a crucial consideration may expose your organization to liability in the event of a security breach.
As you prepare for the CPPA, consider how extensive your privacy management program needs to be, develop a plan to implement it, and ensure that you schedule regular reviews as your organization grows and technology changes.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.