Important Changes to PIPEDA: What You Need To Know
On November 1st 2018, major amendments are being made to Canada’s federal Personal Information Protection and Electronic Documents Act or PIPEDA in coherence with the European Union’s recent edict, the General Data Protection Regulation. These changes will require data-collecting organizations across the country to align their privacy posture.
Personal information includes any factual or subjective information such as name, birth date, medical history and income. The new PIPEDA rules require domestic and foreign organizations to report all breaches of personal information to the Office of the Privacy Commissioner of Canada, keep records of breaches and notify individuals about all breaches that put them at “a real risk of significant harm.” Harm can be classified as bodily harm, identity theft, job loss or damage to reputation. Failure to comply could result in an investigation by the Privacy Commissioner, hefty fines or reputational consequences.
This shift will undoubtedly alter the way that certain industries operate. Canadians will have more control over their personal data and how they consent to its use. Canadian health organizations such as hospitals, long-term care facilities and clinics should review where their data is being stored and who has access to it. Canadian educational institutions that handle student data from Kindergarten to college-level should also be aware of their due diligence during this shift.
The Cost of Non-Compliance
If organizations are found to be non-compliant, they could face exorbitant fines and reputational repercussions. It is important for industries, which thrive on the trust of those they serve, to mitigate these risks.
Recommendations for Compliance
These changes are the first major update to PIPEDA since its creation and therefore require proper preparation. We recommend all organizations take the following steps to get compliant-ready.
- Understand what data types you have and categorize accordingly.
- Define and apply internal policies for data protection. Make sure that staff are properly educated and trained on this issue.
- Develop or update your data breach response plan.
- Determine if the systems that hold your data have appropriate security safeguards in place. If you use a managed service provider, review their plans for ensuring compliance. It is necessary for Canadian organizations (particularly in the health and education industries) to use a Canadian-owned provider who stores 100% of all data within Canada. These two non-negotiable factors will protect data from invasive U.S. laws that can easily trigger a breach.
As governments across the world raise the standard for privacy protection, it only seems fitting that Canada should follow. If you have questions or concerns related to compliance, please contact us!