Canadian privacy and data protection basics for emerging companies

tech

Corporate Update

By:

The right to privacy and protection is becoming increasingly more important.  Customers want control over the information that companies collect about them, and how they use it. Companies should implement strong security safeguards to protect personal data and to guard against the threat to digital privacy. This article provides an overview of privacy and data protection for companies in Canada’s private sector, in addition to best practices to ensure compliance with applicable privacy legislation.

Canadian privacy laws applicable to emerging companies

In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) applies to the collection, use or disclosure of personal information in the course of a commercial activity by private sector organizations.‎1‎ PIPEDA applies in all provinces except British Columbia, Alberta and Québec because each of them have enacted their own private sector privacy laws, deemed “substantially similar to PIPEDA”. Electronic marketing is covered by Canada’s Anti-Spam Legislation and will not be covered in this article. As well, each Canadian jurisdiction has public sector privacy legislation that applies to public bodies and their service providers.

Companies also have employee privacy obligations. PIPEDA applies to employees of federally regulated companies (as well as any cross-border information activities); British Columbia, Alberta and Quebec’s private sector privacy laws apply to employees of provincially-regulated companies in those jurisdictions.

What constitutes personal information?

PIPEDA gives personal information a broad and expansive interpretation. It is information, recorded or unrecorded, “about” an identifiable individual such as: age, date of birth, name, ID numbers, personal email address or mobile phone number, income, ethnic origin, blood type, opinions, evaluations, comments, social status, employee files, credit records, loan records, medical records, consumer disputes. However, personal information does not include business contact information that is collected, used or disclosed solely for the purpose of communicating with that person in relation to their employment or profession.

Key requirements under PIPEDA

There are a number of requirements to comply with PIPEDA. Generally, companies are directed to follow the ten fair information principles to protect personal information, as set out in Schedule 1 of PIPEDA: accountability, identifying purposes, consent, limiting collection, limiting use, disclosure and retention, accuracy, safeguards, openness, individual access and challenging compliance.

Additionally, all the Canadian principal private sector statutes apply the following key requirements:

Meaningful consent

Companies must obtain a customer’s meaningful and informed consent when they collect, use or disclose the customer’s personal information. Meaningful consent is largely tied to clearly identifying the purposes for which the information will be collected, used and disclosed. The way in which a company seeks consent may vary as it depends on the circumstances and the type of information that is collected. Express consent is the default and a company should generally seek express consent when the information is likely to be considered sensitive. Implied consent would generally be appropriate when the information is less sensitive.

Customers can only be required to provide personal information that is essential to the product or service being offered and the company should be able to provide a clear explanation why this is the case. On the other hand, if the personal information is non-essential, companies must provide customers the option to easily opt-out of providing this information.

If a company is going to use the personal information collected for a different purpose than originally intended (as communicated to the customer), the company must obtain new consent for that new purpose, even if the customer already provided consent for the original purposes.

Limited use

Companies can only use personal information for the purposes for which it was collected. Accordingly, companies should limit collection to only what is necessary for the identified purposes (as an additional safeguard) as it reduces a company’s exposure to inappropriate uses and disclosures.

Right of access

Customers have a right to access the personal information that companies collect about them and companies must respond to access requests within a reasonable timeframe. Companies should provide this access with little or no cost to the customer.

Notably, a customer’s right to access is not absolute. Companies can, and sometimes must, withhold a customer’s information in different circumstances - for example, if disclosing the customer’s information would reveal the company’s confidential commercial information or would reveal another person’s personal information.  Accordingly, when responding to an access request, companies ought to be mindful to sever whatever information can or must be severed and provide the remaining information to the customer.

Responsibility to create protections

Companies have an obligation to ensure that the personal information they collect is protected by appropriate safeguards. PIPEDA does not specify what security safeguards must be used, however what is reasonable is tied to the level of sensitivity of the information (i.e. the more sensitive the information, the more onus to provide stronger protection).

Reasonableness

PIPEDA applies an overall standalone reasonableness requirement. A company is only permitted to collect, use or disclose personal information for purposes that a reasonable person would consider to be appropriate in the circumstances. Notably, this reasonableness requirement is separate and apart from the applicable consent requirements, which means that a company might be offside PIPEDA even if it obtains consent for the collection, use or disclosure of personal information.

The federal Privacy Commissioner has identified 6 “no-go zones” which contravene the PIPEDA reasonableness requirement. They can be found here: Guidance on Inappropriate Data Practices: Interpretation and Application of s. 5(3)

Best practices

To ensure best practices and compliance with applicable privacy legislation, every company should conduct a privacy diligence process whereby the following key items are accounted for:

  • Personal Information Inventory - The company should be in a position to easily identify (i) the personal information in its custody or control; (ii) its authority for the collection, use and disclosure; and (iii) the sensitivity of the personal information.
  • A Privacy Policy - The company should implement a privacy policy that deals with (i) its collection, use and disclosure of personal information (including requirements for consent and notification); (ii) access to and correction of personal information; (iii) retention and disposal of personal information; (i) responsible use of information and information technology including security controls; and (v) making complaints and challenging compliance.
  • Privacy Officer - The company must designate an individual (most commonly a Privacy Officer) to be accountable for its compliance with PIPEDA, and to make the identity of the Privacy Officer known on request. The company should post the designated individual’s contact information prominently on its website as well as take steps to ensure that employees can locate this information so as to assist customers.
  • Data Protection Agreements / Cloud Computing - The company is accountable for the personal information that it transfers to third parties and that third parties process on its behalf. Accordingly, the company must ensure that transfers of personal information comply with applicable privacy requirements‎2‎ and further that the third party offers a “comparable level of protection”, i.e. the third party processor must provide protection that is generally equivalent to the level of protection the personal information would receive if it had not been transferred. A company may protect personal information that is sent to a third party through contract by including audit and inspection rights, and a requirement to implement effective security protocols to ensure the personal information is property safeguarded at all times.
  • Create a Breach Response Plan - Companies generally have an obligation notify regulators and perhaps affected individuals about privacy breaches.‎3‎ Companies should have a procedure in place to manage a potential privacy breach. Breach response plans go a long way to minimizing the harmful effects of breaches and to help mitigate the damage caused by breaches. Larger companies will require a collaborative approach with different stakeholders.

****

Companies should conduct a privacy diligence exercise to ensure they are adhering to privacy laws. This includes regular audits of customer information (how it is being collected, used and disclosed) as well as a review of the various safeguards that have been put in place to protect personal information. Not only is this good governance practice but it reduces the likelihood of compliance issues and maintains investor and customer trust, thereby enhancing business value.



 

[1]Commercial activity is defined as any particular transaction, act, or conduct, or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.

[2]PIPEDA does not prohibit cross-border transfers of personal information. However, if such third party transfers are cross-border transfers, companies are wise to assess the risks to the integrity, security and confidentiality of personal information that is ‎transferred outside of Canada, ‎including by taking into account the laws of, and the political, economic ‎and social conditions in, the recipient ‎jurisdiction.‎ The company should also inform individuals (typically in the privacy policy) that personal information may be processed outside of Canada. ‎

[3]The breach notification requirements vary between jurisdictions. For example, PIPEDA and Alberta private sector legislation have specific breach notification requirements; BC’s legislation does not have an express notification requirement, but notifications may be appropriate in any event under the general obligation to keep information secure.

This article provides only general information about legal issues and developments, and is not intended to provide specific legal advice. Please see our disclaimer for more details.