The Canadian government passed the Digital Privacy Act to amend the Personal Information Protection and Electronic Documents Act (PIPEDA) which governs the collection, use, and disclosure of personal information by private organizations in Canada. There are several important changes for Canadian organizations to take note of.
It’s also worth noting that these amendments expand the situations in which organizations are allowed to share personal information without consent. However, organizations should be aware that PIPEDA requires use or disclosure of personal information to be reasonable, and appropriate safeguards must be in place when personal information is transferred from one entity to another.
1. Data breach notification requirements
PIPEDA now includes data breach notification requirements that will come into effect at a later date to be announced. Organizations affected by a data breach will be required to disclose the incident to the Office of the Privacy Commissioner of Canada (OPC) and to affected individuals when a reasonable expectation of harm exists as a result of the breach. Violations may result in fines up to C$100,000. Additionally, the OPC will be able to publicize data breaches as they see fit.
2. Sharing personal information during business transactions
Organizations are now allowed to use and disclose personal information without consent in a situation when it is necessary to determine whether to proceed with the business transaction or not. This does not apply when the purpose of the transaction is to buy, sell, or lease personal information. And if the transaction is not completed, all personal information must be returned or destroyed within a reasonable amount of time.
3. Notice required for using employee information
Federal works, undertakings (FWUB), or businesses are now allowed to collect, use, and disclose the personal information of an individual without his or her consent in situations where it’s necessary in order to establish, maintain, or terminate an employment relationship with that individual. However, the FWUB is required to inform the individual of the purpose of the collection, use, and disclosure.
4. Sharing personal information during investigations
Organizations are now allowed to disclose personal information to another organization without consent when it is reasonable for the purposes of investigations relating to a breach of agreement or Canadian law and when it is reasonable to expect that obtaining consent from the individual would compromise the investigation.
5. OPC enforcement actions include compliance agreements
The OPC now has the authority to enter into compliance agreements with organizations where they believe an organization is likely to violate PIPEDA. Compliance agreements are voluntary for organizations and can be entered with the intent to demonstrate a commitment to privacy protection.