November 1st marks the implementation of Canada’s amendments to its current federal privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), which was originally enacted in 2000 to govern how organizations in Canada collect and disclose personal information in their commercial activities.
These new amendments come as a result of the Digital Privacy Act, a newly-passed federal law that updates PIPEDA's data breach response requirements to include three key new obligations: record-keeping, reporting, and notification.
This post summarizes the significant changes to PIPEDA brought about by the Digital Privacy Act.
The most significant update to PIPEDA is centered around the requirements and notification process organizations should uphold when a breach occurs.
The updated act requires organizations to:
The updated Act also requires that notifications be sent to the OPC in writing and must include the following:
Notifications to affected individuals can be delivered through telephone, mail, e-mail or any other form of communication. The requirements for notifying affected individuals are similar to the OPC notification requirements above, but also include the following:
The Digital Privacy Act also strengthens the power of the OPC by allowing the Commission to form compliance agreements with organizations that may have committed, or are likely to commit, a breach of the PIPEDA regulations. This can be seen as a preventative measure to ensure an organization’s compliance with the new amendments.
Although the Digital Privacy Act has added this additional power to the OPC, organizations are still responsible for reporting breaches and analyzing the level of harm a breach will have on those affected. And while the reporting requirements are strict, it is important for organizations to understand that not every incident must be reported to the OPC; the act states that only breaches that will harmfully impact affected individuals should be reported. The act does not clearly define what type of information loss is considered to be harmful, but the office of the OPC has released further guidance as well as a reporting form for proper breach reporting to the Commission. Determining the level of harm is a important part of assessing and mitigating the risk, but it’s also essential for determining which incidents must be reported.
The new updates to PIPEDA’s breach notification requirements are indicative of the global push for improved privacy regulations. While these updates to PIPEDA are new, none are particularly unique or surprising. Organizations operating under PIPEDA need to ensure that they conduct risk assessments, ensure that user data is securely recorded and stored, and maintain proper records of all incidents and breaches.
Organizations should also do their best to keep abreast of global privacy laws and updates. Each new law influences future laws, and staying on top of this global privacy landscape is a great way to remain ahead of future trends.
Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. You can unsubscribe at any time.