PIPEDA: A Company’s New Responsibility in Storing Personally Identifiable Information
In Canada, most legal obligations pertaining to cybersecurity can be found in one of the privacy laws. The principal law is the Personal Information Protection and Electronic Documents Act (PIPEDA), which became law on April 13th, 2000 and came into full effect on January 1st, 2004 after a two-stage implementation. The legislation not only covers the ways data should be safely stored in the digital world, but also how organizations must collect, use and disclose personal information in the course of commercial activities.
In PIPEDA, ‘personal information’ or Personally Identifiable Information (PII) is defined as information about an identifiable individual such as age, name, marital status, educational level, e-mail addresses, ID numbers, income, ethnic origin, blood types, employee files, credit records, loan records, medical records, opinions, evaluations, purchases, height, weight, fingerprints, voiceprints, and so on.
The objective of the law is to balance the need for organizations to use data for legitimate business purposes, and individuals’ right to privacy.
Simultaneously, by incorporating and making the provisions of the Canadian Standard Association’s Model Code mandatory for the Protection of Personal Information, the government aimed to reassure the European Union, which declared the law adequate in the early 2000s.
PIPEDA applies to:
If your company operates in more than one province, you may have to comply with more than one statute.
For instance, if your organization operates in British Columbia and Alberta, you will have to comply with both statutes. In addition, if you are exchanging data between your two locations or with a customer located in a different province, you will have to obey PIPEDA for this exchange. Examples include selling a mailing list from one province to another or sending customer data to a loyalty program in another jurisdiction.
According to s. 29, PIPEDA has to be reviewed every five years by the committee of the House of Commons designed for that purpose.
This means that your cybersecurity obligations may be altered to reflect new technologies and threats. Compliance requires a proactive attitude and an information security framework that is constantly redesigned based on new legal developments. Flexibility and awareness are key to evolve your cybersecurity to stated requirements.
The Digital Privacy Act (formerly known as Bill S-4), received Royal Assent in June 2015 and amends PIPEDA in significant ways. The changes pertaining to breaches of security safeguards (data breaches) are still to come into force, once the necessary regulations are put in place.
The concept of ‘reasonableness’ is prominent across PIPEDA and organizations are required to perform many contextual analyses to determine whether their practices are compliant. For instance, the Safeguard principle states that an organization must adopt security safeguards that are appropriate for the sensitivity of the personal information held.
Experts question whether PIPEDA will meet the new European standards of the General Data Protection Legislation, which comes into effect on May 25, 2018. It’s very likely that we will lose the adequacy status unless we make substantial changes to PIPEDA, in addition to the mandatory breach requirements that are coming into force in 2018 (regulations for applications). Many reports have been presented to the Parliament pointing out to many gaps.
Regardless of the EU-US Privacy shield, more will have to be done.
