Data Processing Regulations in Canada – a Primer on PIPEDA

Data Processing Regulations in Canada – a Primer on PIPEDA

​According to the Canadian federal government Canada has more computers per capita than any other country worldwide. Canadians are also the heaviest internet users worldwide with the average Canadian spending 40 hours online per month. However, our collective internet use comes with risks to both individuals and business. In fact, 70% of Canadian businesses have been victims of a cyber-attack.
​
Therefore, it is crucial that Canadian businesses are aware of their responsibilities regarding how to handle personal information of their users.
PIPEDA is the Personal Information Protection and Electronic Documents Act. This federal privacy law for private-sector organizations outlines the ground rules for how businesses must handle personal information in the course of their commercial activity. PIPEDA applies to private sector organizations in Canada that process personal information in the course of commercial activity. All businesses operating in Canada and handle information that cross Canadian provincial or national borders are subject to PIPEDA.
In a 2017 holding the Federal Court of Canada has found that PIPEDA will apply to businesses established outside of Canadian jurisdictions as long as “real and substantial connection” exists between a business’s activity and Canada. This effectively includes all Canadian startups.
Factors include:

• Targeting of promotional efforts to a Canadian audience
• Location of end users
• Source of content
• Location of operator
• Location of host server

In general, businesses have no legal obligation to register with or notify the relevant data protection authorities in respect to processing activities. But when businesses collect data as well as process it then they have to be aware of the rights that individuals retain with respect to their data.

• Individuals have the right to:
  • Access to their data/copies of data
  • Rectification of errors in data
  • Withdrawal of consent
  • Right to complain to relevant data protection authorities
• Individuals do not have the explicit right to:
  • Deletion/right to be forgotten
  • Object to processing
  • Data portability

PIPEDA has 10 key principles that guide how businesses should handle their users data. I have outlined them below.

1. Transparency (openness) = organizations are to document and make available to individuals in an accessible form information about their policies and practices relating to data management of personal information.
2. Meaningful Consent = Under PIPEDA organizations must generally obtain an individual’s consent when they process that individual’s personal information. People have the right to access their personal information held by an organization. They also have the right to challenge the accuracy of this information. As of January 1st, 2019 the Guidelines for Obtaining Meaningful Consent are in effect (GOMC). The GOMC is intended to improve the existing consent model under PIPEDA. The GOMC was jointly issued with the offices of Information and Privacy Commissions in Alberta and British Columbia.

The GOMC emphasize the following elements:

1. Key Elements being collected
   1. Personal information being collected
   2. With whom personal information is shared (parties)
   3. Purpose of collection, use and disclosure (collectively known as “processing”)
   4. Risk of collection, use and disclosure
2. Allow individuals to control the level of detail they get and when
3. Provide individuals with clear binary choices when asking permission to collect, use or disclose data (yes or no questions)
4. Be innovative and creative
5. Consider the consumer’s perspective
6. Make consent a dynamic and ongoing process
7. Be accountable: Stand ready to demonstrate compliance

 

1. Purpose limitation = organizations are required to identify the purposes for which information is collected before at collection itself. Indiscriminate collection without purpose is not permitted. Information may only be used for the purpose it was collected and not beyond that scope.
2. Data minimization = Information may only be collected as to fulfill the purpose of the objective of collection and not beyond it.
3. Proportionality = Overriding obligation that organizations may only process information for purposes that a reasonable person would consider appropriate in the circumstances.
4. Retention = (linked to data minimization) information may only be retained for as long as it is required to fulfill the purpose of collection
5. Accountability = Organizations are responsible for protecting personal information under their control including personal information that they transfer to third parties for processing. Organizations must identify an individual who is responsible and accountable for ensuring compliance with the privacy principles. This person is the ‘Data Protection Officer’. This is expressly required by PIPEDA, PIPA Alberta and PIPA BC. Interestingly, no sanctions exist for not appointing a privacy officer.
6. Safeguarding = Canadian privacy statutes contain specific provisions relating to the safeguarding of personal information. This includes provisions that require organizations to implement reasonable technical, physical and administrative measures to protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, modification or destruction.

 
PLEASE NOTE:

• PIPEDA does not apply to personal information held by federal government organizations
• Not-for-profit, charity groups or political parties.

 
Appointment of Processors
Under PIPEDA any organization is required to use contractual or other means to provide a comparable level of protection while the information is being processed by a third party. The failure to have appropriate confidentiality agreements in place with third party contractors has been found to be a breach of the accountability principle.  These agreements do not have specific provisions or requirements. The industry standard is an acceptable metric (i.e. industry standard for health data).
Transferring Data Outside of Canada
PIPEDA generally permits even non-consensual transfer of data outside of Canada provided the organizations use contractual or other means to provide a comparable level of protection while the information is being processed by a third party. However, it is good practice and required by some jurisdictions (Alberta) that if an organization uses a data processor outside of Canada they specify the foreign jurisdictions in which the transfer is taking place and for what purposes the foreign service provider has been authorized to process data on their behalf.
Notice of Breach
PIPEDA underwent a number of amendments in 2015. This included a three-pronged notice requirement in the event of a security breach. The three include:

1. A report to the Office of the Privacy Commissioner of Canada
2. A notice to affected individuals
3. A notice to other organizations

PIPEDA’s breach notification provisions require an organization to notify affected individuals of a breach of security safeguards if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual. The notification must be given as soon as feasible after the organization determines that the breach has occurred. The contents of the notification to individuals will have to include:
A. a description of the circumstances of the breach;
b. the day on which, or period during which, the breach occurred or, if neither is known, the approximate period;
c. a description of the personal information that is the subject of the breach to the extent that the information is known;
 d. a description of the steps that the organization has taken to reduce the risk of harm that could result from the breach;
Failure to report a breach or to maintain records as required is an offence under PIPEDA, punishable by a fine of up to C$100,000.
Conclusion:
Businesses, especially startups, should proactively conduct an audit of their existing consent policies and practices in order to ensure they are compliant with the new GOMC. Businesses should be ready and prepared to demonstrate compliance with PIPEDA in particular relating to these new consent requirements. Periodic review and reassessment of best practices is also highly recommended.