How can small businesses stay compliant under PIPEDA?
The Office of the Privacy Commissioner of Canada has published various online resources for both individuals and businesses to help better understand their obligations under the Personal Information Protection and Electronic Document Act (“PIPEDA”). Here are 3 tips on how small businesses can stay compliant under PIPEDA:
- Appoint an internal Privacy Officer: Appoint someone within the business to help facilitate ongoing compliance. Appointing an individual not only signals that you are holding someone accountable for this initiative – but it also helps ensure that personal information collecting practices are done under the Privacy Commissioner of Canada’s recommended guidelines and that the business remains compliant.
- Train Your Staff About PIPEDA: In Schedule 1 of Act 1 – organizations are expected to follow a code for the protection of personal information which was developed in conjunction with the Canadian Standards Association. The 10 principles include things like accountability, identifying purposes, consent, limiting collection, limiting use, accuracy, safeguards, openness, individual access and challenging compliance. Training your employees about these principles and guidelines can help ensure there is an understanding by all staff on PIPEDA matters. For additional details, please review the Privacy Toolkit provided by the OPC: https://www.priv.gc.ca/media/2038/guide_org_e.pdf
- Audit of Information Collecting Practices: Having an internal audit either on a quarterly basis, bi-annual basis or annual basis demonstrates a businesses’ desire to place privacy information collection practices as a priority. Having these audits can also ensure that your business remains compliant under federal privacy laws. Along with helping to prevent privacy breaches, being able to provide evidence of a consistent privacy plan could also mitigate the amount of any fine or damages which could be made against the company.
In the event of an investigation under PIPEDA, there are three stages. Once an investigation begins, either initiated by an individual complaint or an issue that was identified by the Office of the Privacy Commissioner of Canada (OPC), it moves into the ‘Intake’ stage. During this stage, the unit reviews complaints and gathers additional information to move into the ‘Investigation’ stage. Once the complaint is accepted, the investigation commences. If the complaint cannot be easily resolved, a formal investigation will be required. The complaint may then move through the ‘Further Enforcement Tools’ stage. Following the completion of the Privacy Commissioner’s investigation, a business can then face civil action for damages from the individuals who were affected by the breach.
As of November 1st, 2018, regulations came into place now requiring organizations to notify affected individuals and the OPC in the event of a serious data breach. Organizations must keep a report of all breaches, but only need to report breaches that pose a real risk of “significant harm”. In assessing whether a breach creates a real risk of significant harm, the organization will need to consider: the sensitivity of the personal information, and the probability that the information has been, is being or will be, misused.
Taking steps to ensure your business remains compliant under federal privacy laws will require time and commitment from your organization. It also just makes good business sense, as your customers place a high value on you taking all steps possible to keep their data safe. Fortunately, business owners can use the numerous resources, published by the Office of the Privacy Commissioner of Canada that will help ensure they remain compliant. For more information visit: https://www.priv.gc.ca/en
David Smagata – Vice President, Claims & Chief Legal Officer
As Chief Legal Officer and an Insurance Executive, David Smagata leads Claims, Compliance, and Legal in the management of compliance risk, liability and litigation, and corporate oversight for DAS Legal Protection Inc. With almost 20 years of experience in litigation, in conjunction with strong managerial and operational background experience, David brings an insightful and proactive approach to legal issues and a unique ability to solve complex legal and corporate challenges in the financial services field.
