On November 1st 2018, major changes to PIPEDA (Canada’s federal Personal Information Protection and Electronic Documents Act) will come into effect. This is in conjunction with the European Union’s recent General Data Protection Regulation (GPDR).
If you work with or come in contact with private personal identifiable information then you need to know what changes may be required to your business processes.
November 1st set as the date for changes to PIPEDA.
Canada’s Privacy Commissioner has provided a summary of key changes to PIPEDA (PDF).
Here is the Canadian Government’s page of links regarding PIPEDA, including compliance help, and a link to the full PIPEDA document.
This article is an overview of the changes to PIPEDA.
Breach Reporting
One of the major changes is a new requirement for organizations to report to the Office of the Privacy Commissioner of Canada. They must also notify affected individuals and relevant third parties about “breaches of security safeguards”. These are privacy breaches that pose a “real risk of significant harm” to affected individuals. Although “Breach of security safeguards” is defined in PIPEDA, it generally includes what is commonly known as a “data breach”.
Breach Recording
Along with reporting, you will now also be required to keep a record of all breaches involving personal information. You will need to have these available to provide a copy to the Office of the Privacy Commissioner upon request.
Personal Information Of Employees
The new changes to PIPEDA do not generally apply to business contact information. This includes email addresses which you collect, use or disclose solely for communicating with a person in relation to their employment, business or profession.
So yes, you may collect, use or disclose personal information produced by an individual in the course of their employment, business or profession without their consent. This is as long as such collection, use or disclosure is consistent with the purpose for which the information was produced.
Changes To Consent
If you collect private information from people online or physically, then “consent is only valid if it is reasonable to expect that the individual would understand the nature, purposes and consequences of the collection, use or disclosure of his/her personal information.”
Other Information
An article by IT World Canada suggests; “organizations will need to take a more active role in assuring compliance. With the changes to data security requirements and privacy centered legislation, companies have to be able to show effective due diligence. Doing nothing is not an option for anyone who plans to remain in business.”
If you work with Iron Mountain they have an advisory team that can assist you preparing for these new changes to PIPEDA.
Please understand we are neither politicians or lawyers so we cannot advise on these changes. If you feel these changes to PIPEDA will affect you then you should seek council.