November 1st marks the implementation of Canada’s amendments to its current federal privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), which was originally enacted in 2000 to govern how organizations in Canada collect and disclose personal information in their commercial activities.
These new amendments come as a result of the Digital Privacy Act, a newly-passed federal law that updates PIPEDA's data breach response requirements to include three key new obligations: record-keeping, reporting, and notification. This post summarizes the significant changes to PIPEDA brought about by the Digital Privacy Act.
PIPEDA's New Data Breach Requirements
The most significant update to PIPEDA is centered around the requirements and notification process organizations should uphold when a breach occurs.
The updated act requires organizations to:
- Conduct a risk assessment to determine the possible risk of a breach and the significant harm it may cause individuals.
- Report data breaches to the Office of Privacy Commission (OPC) and affected individuals as soon as possible.
- Maintain a record of the breach for 24 months after the breached has occurred.
PIPEDA's New Breach Notification Requirements
The updated Act also requires that notifications be sent to the OPC in writing and must include the following:
- A description of the breach and - if possible - the probable causes;
- The date and time that the breach occurred;
- The kind of personal information that was revealed;
- The quantity of individuals’ data that was accessed;
- An account of steps taken to limit the harm to individuals affected by data loss;
- How the firm plans on notifying individuals; and
- The contact information of a firm’s representative to answer the OPC’s questions.
Notifications to affected individuals can be delivered through telephone, mail, e-mail or any other form of communication. The requirements for notifying affected individuals are similar to the OPC notification requirements above, but also include the following:
- Provide a description of the steps that affected individuals can take to mitigate the harm of the breach; and
- Provide contact information that the affected individual can use to obtain further information about the breach.
Reporting to the OPC
The Digital Privacy Act also strengthens the power of the OPC by allowing the Commission to form compliance agreements with organizations that may have committed, or are likely to commit, a breach of the PIPEDA regulations. This can be seen as a preventative measure to ensure an organization’s compliance with the new amendments.
Although the Digital Privacy Act has added this additional power to the OPC, organizations are still responsible for reporting breaches and analyzing the level of harm a breach will have on those affected. And while the reporting requirements are strict, it is important for organizations to understand that not every incident must be reported to the OPC; the act states that only breaches that will harmfully impact affected individuals should be reported. The act does not clearly define what type of information loss is considered to be harmful, but the office of the OPC has released further guidance as well as a reporting form for proper breach reporting to the Commission. Determining the level of harm is a important part of assessing and mitigating the risk, but it’s also essential for determining which incidents must be reported.
Putting the PIPEDA Updates in Context
The new updates to PIPEDA’s breach notification requirements are indicative of the global push for improved privacy regulations. While these updates to PIPEDA are new, none are particularly unique or surprising. Organizations operating under PIPEDA need to ensure that they conduct risk assessments, ensure that user data is securely recorded and stored, and maintain proper records of all incidents and breaches.
Organizations should also do their best to keep abreast of global privacy laws and updates. Each new law influences future laws, and staying on top of this global privacy landscape is a great way to remain ahead of future trends.
Stay On Top of Global Privacy Trends
Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. You can unsubscribe at any time.