Canada has long been at the forefront of data protection with its Personal Information Protection and Electronic Documents Act (PIPEDA) enacted as early at 2000. The early legislation was based on the 10 principles set out in the Model Care for the Protection of Personal Information way back in 1996 which included, among others, accountability, consent and the limiting of data collection. Today, these principles can also be found in the EU General Data Protection Regulation (GDPR).
PIPEDA in fact received the European Commission’s stamp of approval by an adequacy ruling made in favor of its commercial organizations at the end of 2001. With the GDPR looming on the horizon, the Canadian government was one of the first to realize the need to update its legislation to ensure the smooth continuation of data transfers between their country and the European block. The Data Privacy Act, an amendment to PIPEDA, preceded the final text of the GDPR by six months and was adopted on June 18, 2015. Its new requirements however came into force only on 1 November 2018, giving Canadian companies plenty of time to prepare for compliance.
Who does PIPEDA apply to?
There is a reason why the adequacy ruling received by Canada was restricted to commercial organizations: PIPEDA only applies to the collection, use or disclosure of personal information in the course of a commercial activity. Federally-regulated businesses such as banks, airlines and telecommunications companies also fall under its scope.
What this essentially means is that not-for-profit organizations, political parties and associations as well as educational institutions and hospitals, as long as they don’t engage in any commercial activities, are outside the jurisdiction of PIPEDA. Fundraising, collecting membership fees and donations as well as compiling lists of members or donors for the purpose of communication are not considered commercial activities, but selling, bartering or leasing these lists is.
PIPEDA does not apply to federal government departments and agencies as their personal information-handling practices fall under the incidence of the Privacy Act.
Organizations operating entirely in provinces where local private-sector laws have been deemed sufficiently similar to PIPEDA, are also exempt. Currently, the provinces of Alberta, British Columbia and Quebec fall within this category, while the health data in four others, Ontario, New Brunswick, Newfoundland and Labrador and Nova Scotia, are also protected by local legislation. However, once data crosses provincial or national borders, PIPEDA applies.
While PIPEDA does not state what its territorial reach is, the Federal Court of Canada has ruled that PIPEDA does apply to businesses found in other jurisdictions if there is a substantial connection between an organization’s activities and Canada. This means that PIPEDA can have ramifications for US and international organizations targeting Canadian customers.
What is personal data under PIPEDA?
PIPEDA protects personal data that contains any factual or subjective information, recorded or not, about an identifiable individual. This consists of not only personally identifiable information (PII) such as name, age, ID number and ethnicity or medical records, employee files, credit records and so on, but also opinions, evaluations, comments, social status and disciplinary actions.
Sensitive data not covered by PIPEDA includes, among others, personal information processed by federal government organizations that fall under the incidence of the Privacy Act, business contact information used to communicate with a person in relation to their employment or profession, an individual’s collection, use or disclosure of personal information strictly for personal purposes or an organization’s collection, use or disclosure of personal information for journalistic, artistic or literary purposes.
The 10 Principles of PIPEDA
Referred to as the fair information principles, these ten criteria represent the foundation of PIPEDA and are detailed in the Schedule 1 of the Personal Information Protection and Electronic Documents Act. Beyond them, organizations are responsible for the protection and fair handling of personal information at all times and are obligated to ensure that any collection, use or disclosure of personal information is done only for purposes that a reasonable person would deem appropriate given the circumstances.
The 10 fair information principles are:
- Accountability: An organization is responsible for the personal information under its control. It must appoint a Privacy Officer whose purpose is to ensure compliance with PIPEDA.
- Identifying Purposes: Organizations must identify the purposes for which personal data is being collected before or at the time of collection.
- Consent: Individuals’ consent is needed for the collection, use or disclosure of personal information. Some exemptions apply to this principle such as, for example, in cases where legal, medical or security reasons make seeking consent impossible or impractical.
- Limiting Collection: Information must be collected by fair and lawful means and must be limited to the data needed for the purpose identified by the organization.
- Limiting Use, Disclosure, and Retention: Personal information can only be used or disclosed for the purposes for which it was collected and must be kept solely for the duration required to serve those purposes unless the individual consents otherwise or it is required by law.
- Accuracy: Personal information must be as accurate, complete, and as up-to-date as possible in order to properly satisfy the purposes for which it is to be used.
- Safeguards: Personal information must be protected through appropriate security safeguards against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification.
- Openness: Organizations must be open about their policies and practices relating to the management of personal data and ensure that such information is easily available to individuals in a generally understandable format.
- Individual Access: Upon request, an individual must be informed of the existence, use, and disclosure of their personal information and be given access to it. Individuals have the right to challenge the accuracy and completeness of that information and have it amended as appropriate. Organizations may deny access to personal data if the information cannot be disclosed for legal, security, or commercial proprietary reasons or is subject to solicitor-client or litigation privilege.
- Challenging Compliance: An individual can challenge an organization’s compliance with PIPEDA’s principles and address their challenge to the company’s Privacy Officer in charge of PIPEDA compliance.
Mandatory Data Breach Notifications
One of the major new requirements brought by PIPEDA’s update was the introduction of mandatory data breach notifications. As of November 1st 2018, organizations subject to PIPEDA must notify the Privacy Commissioner of Canada if they become aware of any breaches of security safeguards involving personal information that pose a real risk of significant harm to individuals. Companies must also inform individuals affected by such breaches.
Organizations must now keep records of all breaches of security safeguards for two years, whether these breaches were reported to the Privacy Commissioner of Canada or not.
Companies will need to develop a framework to assess the real risk of significant harm. Among the factors the Privacy Commissioner of Canada suggests organizations take into consideration are the sensitivity of the personal information involved in the breach and the probability that the personal information might be misused. The later can be evaluated by asking questions relating to the nature of the breach such as whether it was the result of malicious intent or whether the lost data was adequately encrypted or anonymized.
If an organization knowingly disregards the new PIPEDA requirements of data breach notifications and record keeping, they face fines of up CAD$100,000.
Canada continues to be ahead of the curve in the data protection field and its improvements to PIPEDA are sure to win the approval of the European Commission and keep it on the list of adequate countries for cross-border transfers, effectively ensuring that Canadian businesses continue to serve European and Canadian customers alike while keeping their personal data secure.