Canada sets the pace in the protection of personal data and national data security law. This reflects in the enactment of the Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA’s breach notification requirements are important for businesses situated in Canada.
Passed in 2000, the PIPEDA Act is a consumer-friendly law that was created to improve the trust of consumers in electronic commerce by ensuring maximum privacy data security.
In 2015, the PIPEDA mandatory breach reporting feature was added to the Act. Although the Act wasn’t implemented until 2018, the addition of the mandatory breach notification to PIPEDA meant that organizations must notify individuals and/or consumers of any violation of their personal information.
Therefore, if you do business in Canada and experience a hack or data breach, you’ll need to follow PIPEDA breach notification requirements. Learn all about them here.
What is PIPEDA Breach Reporting?
Before we delve into the specifics of PIPEDA breach reporting, let’s know what PIPEDA is.
PIPEDA is a user-friendly Canadian law based on the principles of Privacy by Design (PbD). It was created to help private organizations manage the collection, use, or disclosure of personal information of their consumers in the course of commercial activities. It also ensures consumers have control over the use of personal data by private entities.
As part of the principles of PIPEDA, organizations are also required to implement security safeguards to avoid data violations of their consumers.
However, in cases of data compromise, PIPEDA mandatory breach reporting mandates organizations to notify affected individuals, the Privacy Commissioner of Canada, and, in some cases, third-party organizations of any violations that may pose a significant threat or risk to individuals.
Ten Principles of PIPEDA
- Accountability: This involves developing and implementing regulations, assigning personnel to monitor the collection, use, and disclosure of personal information in organizations.
- Identify Purpose: This stipulates that the purpose and how personal information will be used should be predetermined before the collection of any data.
- Consent: The knowledge and approval of individuals must be sought before the collection and use of their personal information. In situations where the pieces of information are needed for a new use, proper consent must be sought again from the individuals involved.
- Limit Collection: This principle stipulates that organizations should only collect information that’s needed for specific purposes. Also, information must be obtained legally and through the proper channels.
- Limit Use, Disclosure, and Retention: Personal data should only be used for the purpose and length to which an individual consented to, retention can only be stipulated by law or otherwise stated.
- Accuracy: Information must be accurate and kept updated as much as possible especially if it’s used frequently or needed to make a decision.
- Safeguards: Develop security practices and regulations to protect personal data from theft, loss of information, and data breaches.
- Openness: The policies, procedures, and methods of data security management must be properly communicated by organizations to stakeholders, customers, and frontline staff.
- Individual Access: Individuals have the right to access any of their information held by organizations. They also have the right to request an amendment of any information as they deem fit.
- Challenging Compliance: Individuals hold the freedom to question the compliance of an organization based on the afore-listed principles. It’s expected that their questions would be addressed properly by the appropriate personnel responsible for PIPEDA compliance in the organization.
Who Should Comply With PIPEDA?
Having explained the meaning and importance of PIPEDA, it’s imperative to clarify the specific organizations that are expected to comply with the PIPEDA Act.
PIPEDA only applies to the collection, use, or disclosure of personal information during commercial activities. Therefore, federally-regulated businesses such as banks, airlines, telecommunications, and railways belong to the category. Organizations that manage canals, pipelines, and ferries, are also included.
However, non-profit organizations such as political parties and associations, educational institutions, and hospitals are exempted from complying with the PIPEDA Act.
The Privacy Act (not PIPEDA) controls the personal information security of the federal government department and agencies. Therefore, provinces like Quebec, British Columbia, Alberta, New Brunswick, and Labrador are exempted from the PIPEDA Act as they’re covered by the Privacy Act.
Are all Personal Data Subject to PIPEDA?
It’s no secret that the PIPEDA Act was rolled out to protect the personal data of people. To avoid ambiguities, the specific pieces of information the Act protects must be properly stated.
Under the PIPEDA rule book, personal information is any information on any data obtained in the course of commercial activity. In case you’re still unclear about the specifics, the PIPEDA rule book includes information about:
- ID numbers
- Income/financial information
- Race, national/ethnic origin.
- Marital status
- Blood type
- Medical, education or employment history
- Driver’s license/social insurance number
- Employee files, credit and loan records, and dispute history (if any)
- Disciplinary actions, opinions, and evaluations.
The following sensitive data don’t fall under the jurisdiction of the PIPEDA Act. They are:
- Personal information handled by the federal government organizations listed under the Privacy Act.
- Provincial or territorial governments and their agents
- Business contact information such as employee’s name, title, business address, telephone number, or email addresses that are collected, used, or disclosed for the sole purpose of communication concerning their profession.
- An individual’s collection, use or disclosure of personal information strictly for personal purposes
- An organization’s collection, use or disclosure of personal information solely for journalistic, artistic or literary purposes.
PIPEDA’s Breach Notification Requirements
To have a full grasp of PIPEDA’s breach notification requirements, you must know what constitutes a PIPEDA data breach.
According to the PIPEDA guidelines, a breach of security safeguards refers to any loss, unauthorized access, or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards or from a failure to establish those safeguards.
It’s worth mentioning that PIPEDA data breach can occur just with unauthorized access without disclosure. This implies that hacking into systems and touching personal information is regarded as a breach. Thus, a ransomware attack is considered as a breach according to the PIPEDA data breach rules.
A major addition to the PIPEDA Act was the mandatory data breach notifications when/if a data breach occurs. PIPEDA’s breach notification policy requires the following:
- Report breaches: Companies are obligated to report data breaches to the Privacy Commissioner of Canada. Because the PIPEDA Act requires organizations to report any breach involving personal information in their control, the obligation to report a breach rests on every organization.
- Notify affected individuals: The PIPEDA Act also mandates that companies or organizations within the jurisdiction of the Act to notify the individuals affected by the breach on their personal information.
- Record maintenance: Organizations must maintain records of all data breaches of security safeguards irrespective of the scope of the breach or the sensitivity of the personal information involved. Even if an organization decides a breach doesn’t pose “real risk of significant harm”, it’s still expected to keep to the record-keeping rule.
The security of personal information of customers is a major responsibility of organizations. To have a business or an organization in Canada doesn’t exempt your customers’ data from the prying eyes of third parties. Data breaches, retention for use without permission can occur and you’ll need to follow PIPEDA breach notification requirements.
RSI Security is the nation’s premier cybersecurity and compliance provider dedicated to helping your organization achieve compliance and risk-management success with multi-industry and public sector experience. Our team of trusted professionals with the requisite knowledge of industry standards makes us the solution providers to your data infringement worries.
Contact us today to ensure the safety of your customers’ information and for your organization’s compliance with applicable regulations.