Data privacy is critical for your organization as consumer pressure and regulatory fines is helping turn the tide on privacy attitudes by many enterprises including the tech giants. In our previous article on data privacy for businesses, we discussed what is meant by a Privacy Impact Assessment (PIA) and a Data Protection Impact Assessment (DPIA). These processes check your compliance against a variety of data privacy regulations, including GDPR and the CCPA.
As you are aware, Canada also has privacy regulations known as the Personal Information Protection and Electronic Documents Act (PIPEDA) and The Privacy Act. With an OPC study finding that around 80% of Canadians are reluctant to share data, PIPEDA and The Privacy Act are important regulations to maintain the data rights of the individual.
Here, we look specifically at the use of a PIA in helping with PIPEDA compliance; where is it applied; who it applies to; and, how to carry out a PIA for PIPEDA compliance.
PIPEDA has a long history in digital terms. Receiving Royal Assent on April 13, 2000, it had a staged entry into law. Enactment began on January 1, 2001, and PIPEDA came into full force on January 1, 2004. PIPEDA has a provision that every five years the law must go through a review to apply updates in line with technological advances. For example, a current consultation is looking at the implications for privacy as Artificial Intelligence (AI) is increasingly used and how PIPEDA can be updated to reflect this.
On January 1, 2019, Canada's Office of the Privacy Commissioner brought out a set of "Guidelines for obtaining meaningful consent". This guidance sets out seven guiding principles on how to collect "meaningful consent" from customers for the processing of these data.
PIPEDA is a federal law in Canada, with the exception of Quebec, British Columbia, and Alberta who have their own private sector laws (similar to PIPEDA). However, all businesses operating in Canada that handle personal data (including cross-province and over national border jurisdiction) are subject to PIPEDA, no matter which province or territory they are located. The Federal Court of Canada ruled that PIPEDA applies to businesses in further jurisdiction if there is a “real and substantial connection” between the organization’s activities and Canada.
The Personal Information Protection and Electronic Documents Act covers the private sector, for-profit, companies of all sizes. The law describes rules that should be carried out during the collection, use, and disclosure of personal data in the course of commercial activities. To meet PIPEDA compliance, organizations must follow the 10 Fair Information Principles.
A Privacy Impact Assessment (PIA) looks at the risks involved in the processing of personal data by a company. As you know from our previous blog, a PIA is a process by which data risks are measured, assessed, with solutions in mitigating the risk developed. The OPC regards a PIA as a “preventative measure” in the application of the privacy principles behind PIPEDA.
Therefore, the 10 Fair Information Principles should act as a guideline for the PIA:
According to the 2010 Treasury Board of Canada Secretariat (TBS) Directive on Privacy Impact Assessment, government institutions (excepting the Bank of Canada) must undertake PIAs for programs and activities when:
A PIA for PIPEDA is generally covered under the provisions of the “Accountability” principle. In terms of non-governmental organizations, under PIPEDA, a Privacy Impact Assessment is not mandatory. However, you should check to see if your organization is required to carry out a PIA under a provincial personal health information (PHI) protection act.
A PIA template from the Government of Nova Scotia is available from the International Association of Privacy Practitioners (IAPP). Our Privacy Experts can help guide you through whatever scenario is applicable to your organization.
The Canadian Government’s Privacy Act came into force in 1985 and was most recently amended in August 2019. The act only applies to federal institutions that have been listed in the Privacy Act schedule of institutions. The act covers the processing of various personal data in regard to delivering government services, this includes tax collection and refunds, and border security. In essence, the Act covers personal data that is “about an identifiable individual.”
A PIA is only required by entities affected by the Privacy Act, i.e. federal government departments. In addition to the usual PIA process, the Four-Part Test of R. v. Oakes for Necessity and Proportionality is required for intrusive or sensitive areas of data processing to determine its legitimate purpose.
The four questions to determine this are:
Statistics Canada carries out and publishes the results of a generic Privacy Impact Assessment. The results show the risk and other metrics in how the office collects, uses, and discloses personal information as they carry out their duties.
Data privacy has evolved from “nice to have” to a business imperative and critical issue. If your organization processes personal information within the jurisdiction of PIPEDA you should consider a PIA. The process of going through a Privacy Impact Assessment, not only protects the consumer, it protects your business. Data breach notifications under PIPEDA are now mandatory. A PIA is a way to minimize the impact of a data breach, but it also gives you the information needed to make the notification. With fines of up to $100,000 per violation, it is worth putting in the effort of a Privacy Impact Assessment.