The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada’s main government privacy law. Compliance with PIPEDA is essential for private sector businesses operating in Canada. Violation of PIPEDA can lead to a court action brought by individuals or by the Office of the Privacy Commissioner (OPC). The law originally went into effect on April 13, 2000, to promote trust in e-commerce but has since expanded to include industries like banking, broadcasting, and the health sector.
The main purpose, per the legislation states:
“To govern the collection, use, and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.”
Under PIPEDA, similar to the European Union’s General Data Protection Regulation (GDPR), users have the right to access their personal information held by an organization, know who is responsible for collecting it, why it’s being collected, and challenge its accuracy. An important aspect of PIPEDA is the fact that it’s designed to keep Canada’s notification requirements consistent with the country’s trading partners, particularly the EU.
What is Covered?
Under PIPEDA personal information is any “information about an identifiable individual,” virtually any data collected in the course of commercial activity. Under PIPEDA, the following can be considered personal information:
- Age, name, ID numbers, income, or financial information
- Race, national, or ethnic origin
- Marital status
- Blood type
- Medical, education, or employment history
- DNA
- Social insurance number or driver’s license.
- Opinions, evaluations, comments, social status, or disciplinary actions
- Employee files, credit records, loan records, medical records, the existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs).
What does this mean for an SMB?
All businesses that operate in Canada and handle personal information that crosses provincial or national borders in the course of commercial activities are subject to PIPEDA, regardless of the province or territory in which they are based (including provinces with substantially similar legislation). Essentially, businesses that operate outside of Canada and do not process private data on Canadian users, as outlined above, need not worry about PIPEDA itself. However, similar legislation is in place throughout most of the world, so businesses should instead focus on examining their local country’s data privacy rights. Once you understand your legal obligations in your own home country, you’ll want to develop a breach notification plan.
THE IMPORTANCE OF A BREACH NOTIFICATION PLAN
It’s very important to have a plan to notify any users and applicable agencies involved in a data breach. The time to work out how to notify and what the applicable home country laws and requirements are is not during a breach but before one. In the US exists a patchwork quilt of data privacy laws by individual states. There is no federal law in effect. In preparing your breach notification process, make sure you seek outside counsel and expertise to help you comply with each state you may have data on (or country as the case may be).
- European Union’s General Data Protection Regulation (GDPR)
- California Consumer Protection Act (2018)
- Australia’s Privacy Amendment (Notifiable Data Breaches) Act of 2017
- Germany’s Data Privacy Law Compared to GDPR (BDSG)
CyberHoot recommends you know the laws affecting your company and you prepare a Breach Notification process document reflecting those laws. Don’t forget to test the process annually as well.
THE BEST DEFENSE AGAINST DATA BREACH FINES IS NO BREACH AT ALL
Beyond establishing a breach notification process, there are many other actions your company can take to reduce the risk of a breach. CyberHoot recommends the following basic breach counter-measures:
- Train and test employees on how to spot and avoid phishing, smishing, and vishing attacks;
- Govern employees with a set of cybersecurity policies that establish company cybersecurity requirements;
- Employ the principle of least privilege by taking away admin rights from user desktops and laptops;
- Adopt a password manager to improve employee password hygiene;
- Enable two-factor authentication on all critical accounts (email, bank, etc.); and
- Authenticate callers into your business when they are making high-value requests (asking for information, changing bookings, charging a credit card, etc). Companies with access to client mobile phone numbers should text an authentication code to each change requestor.