PIPEDA Update: Ushering in the Digital Privacy Act

The Personal Information Protection and Electronic Documents Act (PIPEDA) sets ground rules for how organizations collect, use or disclose personal information in the course of commercial activities. For a general overview of PIPEDA, please see our previous article on the subject, Canada's Electronic Privacy Legislation: PIPEDA.

On June 18, 2015 (over a decade after PIPEDA’s inception), Canada passed Bill S-4 (short title, the Digital Privacy Act). The Digital Privacy Act introduced a number of amendments to PIPEDA, most of which are now in force, with the dual goals of better protecting Canadians and removing barriers to legitimate activities. This article outlines the changes that you should be aware of moving forward. You can find the amended version of PIPEDA here: 

http://laws-lois.justice.gc.ca/eng/acts/P-8.6/FullText.html

Obtaining Consent

In order to obtain consent, as required under PIPEDA, organizations must now:

  1. Communicate clearly with their target audience; and
  2. Consider whether it is reasonable to expect that the target audience understands the nature, purpose and consequences of the organization collecting and/or disclosing their personal information.

Disclosure Without Consent

Organizations are now permitted to share individuals’ personal information in certain situations in order to protect them from harm. An organization may disclose an individual’s personal information:

  • To another organization to investigate a breach of an agreement or law, where the failure to disclose would compromise the investigation;
  • To another organization to detect, suppress or prevent fraud, where the failure to disclose would compromise such efforts;
  • To a government institution or the individual’s next of kin (or authorized representative) if there are reasonable grounds to believe that the individual is the victim of financial abuse; or
  • To a government institution or the individual’s next of kin (or authorized representative) in order to identify an individual who is injured, ill or deceased, provided that the organization informs the individual in writing.

Organizations may also disclose personal information within the course of certain day-to-day business activities. Examples include disclosing information for the purpose of processing insurance claims, completing business transactions, managing employees and conducting due diligence.  

Encouraging Compliance

The powers of the Privacy Commissioner of Canada have been expanded to encourage increased compliance. The Privacy Commissioner is now permitted to request that an order be issued by the Federal Court of Canada, based on the findings of an investigation. The amendments have also enhanced the scope of the Privacy Commissioner’s clearance to release information to the public about non-compliant organizations.

Data Breach Notification and Record-Keeping

While we await the release of regulations to this effect, the Digital Privacy Act makes it clear that, in the near future, organizations will have to:

  1. Notify individuals if a data security breach creates a “real risk of significant harm” to them, based on their personal information; and
  2.  Report such breaches to the Privacy Commissioner of Canada.

If an organization fails to do either of the aforementioned steps, then it may face up to $100,000.00 in fines upon indictment or $10,000.00 upon summary conviction.

What Should You Do?

  • Obtain appropriate consent when collecting and/or disclosing an individual’s personal information, except where disclosure arises in an exceptional circumstance, namely:

a.      It is between organizations for the purpose of day-to-day business; and/or

b.      It is necessary, in the circumstances, to protect the individual from harm.

  • Start (or continue) keeping detailed records of all data breaches, including:

a.      The information that was lost or stolen;

b.      Names of the individuals identified in the lost or stolen information;

c.      The date and time of the breach;

d.      How the breach occurred; and

e.      Steps taken to remedy the breach.

  • Implement a company policy to report data breaches to the Privacy Commissioner of Canada.
  • Depending on the amount of data collection and disclosure your company does, consider purchasing cyber liability insurance.

For more information, please reference the Government of Canada's Digital Privacy Act Backgrounder

How Momentum Can Help

Data security is increasingly subject to government scrutiny, as evidenced by the substantial monetary penalties in privacy statutes.

We can help your organization ensure that its practices are consistent with PIPEDA and CASL. In addition to drafting privacy policies, we offer comprehensive training seminars and compliance audits. Please contact us today if you have any questions about your corporate privacy or e-commerce needs.