Canada enforces a number of laws related to privacy rights, including two federal laws enforced by the Office of the Privacy Commissioner of Canada (OPC) — the Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA).
Since technology now impacts nearly every aspect of modern life, there has never been a more critical time to consider the privacy of Canadian (and international) residents. The protection of personal information has been enforced for more than three decades in Canada and the privacy of residents continues to be a top priority.
PIPEDA impacts Canadian businesses of all sizes, as well as foreign companies that operate in Canada, enforcing mandatory breach reporting requirements.
Table of Contents
What Is Personal Information?
Personal information is defined as any subjective or factual information, whether it is recorded or not, which identifies an individual. This includes:
- Age, name, income, ethnic origin, blood type, and ID numbers
- Opinions, evaluations, social status, comments, or disciplinary actions
- Credit records, employee files, loan records, medical records
It is important to note that there are some instances where PIPEDA does not apply. For example, any personal information handled by federal government organizations falls under the Privacy Act. Since PIPEDA typically apples to commercial activities only, not-for-profits and political associations are generally exempt.
The Privacy Act — How the Government of Canada Handles the Personal Information of Residents
The Privacy Act, which came into effect in 1983, applies to the federal public sector, which includes approximately 250 departments, Crown corporations, and agencies. These range from the Yukon Surface Rights Board to Agriculture Food Canada.
In short, the Privacy Act protects the privacy rights of Canadians in relation to their interactions with the federal government. This applies to the collection, use, disclosure, retention, and disposal of recorded personal information.
Over the years, the Privacy Act has adapted to various trends in order to make the law more accurate. For example, changes have been made in response to wireless communications, global positioning systems (GPS), etc.
Comparable Acts in the United States
The Privacy Act of 1974 is similar to Canada's Privacy Act in that it establishes a fair code of practices in relation to the collection, use, maintenance, and dissemination of information about individuals. This information is maintained by federal agencies. Since 1974, the Internet rapidly altered the definition of privacy and in response, it became necessary to enact new, up-to-date laws.
One of the most notable is the Electronic Communications Privacy Act (ECPA), which was passed in 1986. Although technology has dramatically changed since then (and new laws reflect these changes), the act itself remains the same. This act allows the U.S. government to access digital content with a subpoena. The ECPA applies to telephone conversations, email, and data stored electronically.
Most recently, U.S. senators introduced the Consumer Online Privacy Rights Act (COPRA), which will become law sometime in 2020. This digital privacy act will provide U.S. consumers with the same type of data protection as the European General Data Protection Regulation GDPR. This bill was introduced shortly before the California Consumer Privacy Act (CCPA) came into effect (Jan. 1, 2020).
Integrate Your Data Today!
Try Xplenty free for 7 days. No credit card required.
PIPEDA — How Organizations Handle the Personal Information of Canadians
The PIPEDA is the federal privacy law for private-sector organizations in Canada and applies to the collection, use, or disclosure of personal information in relation to commercial activity. This act was presented as a new law in 2000 and has since expanded, covering industries such as broadcasting, banking, and the health sector.
Similar to the General Data Protection Regulation (GDPR), under the PIPEDA, residents have the right to access personal information that is held by an organization. In fact, PIPEDA is designed to keep Canada's notification requirements consistent with trading partners, specifically the EU. This allows for the free flow of personal information from the EU to Canadian organizations.
PIPEDA and the Provinces
Being a Canadian law, PIPEDA applies to all federal workers, undertakings, and businesses (FWUBs). However, there are slight differences across the country based on provincial privacy laws. In many provinces, any personal information collected by schools, universities, municipalities, and hospitals is protected by provincial legislation.
Here are a couple of examples:
- Alberta enforces the Alberta Personal Information Protection Act (PIPA), and in British Columbia, businesses and organizations can refer to B.C.'s Personal Information Protection Act (PIPA).
- Since all organizations in the Territories are considered to be federal workers, undertakings, and businesses (FWUBs), PIPEDA applies to information related to the information collected in the Northwest Territories, Nunavut, and Yukon.
All interprovincial and international transactions that involve personal information are also subject to PIPEDA. For more information, please refer to Questions and Answers regarding the application of PIPEDA, Alberta and British Columbia's Personal Information Protection Acts.
How PIPEDA Affects Businesses
Both small and large businesses are subject to PIPEDA requirements. If you keep customer data records and those records could be used to identify an individual, then PIPEDA likely applies. This type of information may include GPA data, credit card numbers, email addresses, or home addresses.
PIPEDA applies to those outside of the Canadian border, as Canada's privacy laws are more far-reaching in comparison to U.S. laws. This means that if you operate a U.S.-based company that does business in Canada, handling the personal data of Canadians, you need to be aware of PIPEDA.
According to a 2018 CIRA Cybersecurity Survey, it was found that 38% of Canadian businesses lacked awareness in terms of PIPEDA's old requirements, not to mention the changes that were implemented in late 2018.
Under PIPEDA, businesses are required to:
- Report to the Privacy Commissioner of Canada regarding breaches of security safeguards involving personal information
- Notify the individuals affected by those breaches
- Keep records of all breaches
Significant harm includes humiliation, bodily harm, loss of employment, damage to reputation or relationships, business or professional opportunities, identity theft, financial loss, and damage to or loss of property.
The Penalties of PIPEDA Non-Compliance
It is an offense to knowingly contravene PIPEDA's reporting, notification, and record-keeping requirements. In doing so, organizations can anticipate consequences.
Unlike the GDPR, there is no set fine associated with this offense. Instead, the OPC refers to the information to the Attorney General of Canada, who is then responsible for prosecution.
However, organizations have been warned that failure to report the potential for significant harm could result in fines up to $100,000 each time an individual is impacted by a security breach. That is if the government decides to prosecute. More information on the laws pertaining to breaches of security safeguards can be found here. You can also find a number of beneficial resources regarding compliance, cloud computing, mobile apps, and much more on the OCP website.
Enjoying This Article?
Receive great content weekly with the Xplenty Newsletter!
How to Stay Compliant
Although some of the most notorious data breaches occurred within large corporations, it was reported in Verizon's 2019 Data Breach Report that 43% of all data breaches involved small businesses. That is why all businesses, regardless of size, need to remain mindful of PIPEDA.
Whether you are a small business or a large corporation, if you are collecting sensitive data, you need to ensure that you are meeting the standards to collect, process, and store that information.
In order to prevent a data breach, you will need to take proactive measures, protecting all inbound and outbound data. Encryption of sensitive data will be imperative, as well as secure data management.
For example, it is recommended that you appoint an internal Privacy Officer or someone who is responsible for facilitating ongoing compliance. You should also train your staff about the importance of PIPEDA and implement an internal audit on a quarterly basis. Please refer to the PIPEDA Self-Assessment Tool guide for a more comprehensive list of your organization's responsibilities.
PIPEDA and Xplenty
Keeping your data secure is one of the most important things we do at Xplenty. Xplenty uses SSL/TLS encryption to maintain the highest security standards and help you gain greater control over your data.
If you are collecting data from multiple sources and aim to take proactive action in terms of PIPEDA, you will benefit from a data integration platform or data processor.
Xplenty will help you migrate, transform, and organize data from varying sources, and in this case, personal data. Although we do not have access to your customers' data, we do provide the necessary services that allow you to maintain compliance. This includes the personal data about your customers — meaning, Xplenty will help you put systems in place that support PIPEDA compliance.
By following industry practices surrounding encryption, authorization, authentication, and auditing, Xplenty ensures that your data remains safe at all times. Xplenty will also help you streamline this process so that you can effectively access, remove, change, and delete any data at your user's request.
Ready to build compliant data pipelines? If so, it's time to create a data integration plan. Learn more about our easy-to-use data integration platform, as well as all associated integrations, or contact us to schedule a demo and experience the Xplenty platform for yourself.