PIPEDA & Customer Privacy
The federal Personal Information Protection and Electronic Documents Act (“PIPEDA”) regulates the collection, use and disclosure of personal information by private organizations in Ontario. PIPEDA defines “personal information” as “information about an identifiable individual”. It is difficult to imagine a business that does not collect, use or disclose the personal information of its customers in the operation of its business.
Bill S-4 – the Digital Privacy Act received royal assent on June 18, 2015, and amends key provisions of PIPEDA. The following is a summary of some of the significant changes to PIPEDA that will affect your business and how you handle personal information.
1. MANDATORY BREACH REPORTING
Organizations will now be required to report data breaches to those individuals affected if there is a real risk of significant harm to the individual.
“Significant Harm” includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on credit record and damage to or loss of property. In assessing whether there is a “Real Risk” of such harm, factors such as the sensitivity of the personal information and the probability of misuse of such information must be considered.
In addition to notifying the affected individuals, the organization will, in certain circumstances, be required to notify other organizations that it believes may be able to reduce the risk of harm or mitigate the harm. Consent of the affected individuals will not be required.
Finally, organizations must keep and maintain a record of every breach of security safeguards involving personal information under its control. It is important to note that a “real risk” of “significant harm” is not a threshold for these record-keeping requirements.
2. STRICTER CONSENT REQUIREMENT
Organizations are currently required to obtain informed consent for the collection, use and disclosure of an individual’s personal information. This means that the individual must be informed, in a manner that he or she can reasonably understand, of the purposes for which the information is being collected. Under the Digital Privacy Act, this requirement has been amplified and consent to the collection, use and/or disclosure of personal information will only be valid if it is reasonable to expect that the individual would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information being collected.
3. NEW EXEMPTIONS TO CONSENT REQUIREMENT
New consent exemptions have been added to PIPEDA, including the following: Fraud and Investigations: In certain circumstances, organizations will be permitted to share personal information with other organizations for the purpose of investigating breaches of agreements or law that has been, or is about to be committed.
Prospective Business Transactions:
Organizations will be permitted to disclose personal information without consent for the purpose of conducting due diligence in the course of a prospective business transaction provided: (a) that the parties enter into an agreement governing the use, collection, protection and destruction of the personal information; and (b) the personal information is necessary to determine whether to proceed with/complete the transaction. Once the deal is closed, the parties may only use the personal information without the knowledge and consent of the individual if: (a) they enter into an agreement that governs the use, protection and disclosure of the personal information; (b) the personal information is necessary for carrying on the business; and (c) the individual is notified within a reasonable time that the transaction is closed and their personal information was disclosed.
Employees: In the case of employees of federal works, undertakings or businesses (e.g. railways, banks, etc.) organizations may collect, use and disclose personal information of such employees without consent if such information is required for the purpose of hiring, managing or terminating the employee, and the employee has been informed that the information may or will be collected, used or disclosed for those purposes.
Organizations that fail to comply with the Breach Reporting and Record-Keeping Requirements are guilty of: (a) an offence punishable on summary conviction and liable to a fine of up to $10,000.00; or (b) an indictable offence and liable to a fine of up to $100,000.00. It remains to be seen whether these fines will be charged with respect to the offender alone or charged for each individual affected by the breach.
If the Privacy Commissioner of Canada believes that an organization has committed, or is about to commit, a breach of the requirements, it may, in its discretion, enter into a compliance agreement with the organization containing terms necessary to ensure compliance with PIPEDA. Once a compliance agreement is signed, the Commissioner may not initiate a proceeding in the Federal Court. Prosecutions under PIPEDA and actions by individual complainants can still be initiated despite the existence of a compliance agreement.
If you have any questions relating to any of the above, please do not hesitate to contact Joanne Gilbert at firstname.lastname@example.org or 905.276.0406.