Obligations under the data breach notification law Lexpert

pAre you always worried about handling personal information With most information currently stored electronically the risk of data breaches is very real Even governments arent safe with the 2020 Canada Revenue Agency data breach This required the immediate operation of the data breach notification law  ppWhile no one prays for another data breach it helps to know that there are laws in place to guide organizations Among others the data breach notification law requires organizations to report their data breaches to affected individuals Heres what you should know about handling personal information under the data breach notification law ppData breach notification law is governed by the Personal Information and Electronic Documents Act PIPEDA This federal law regulates the handling of personal information during commercial transactions This includes the collection use and disclosure of personal data By extension this also includes the storage of information while in use ppIn simple terms a data breach happens when theres disclosure of personal information to unauthorized third parties A common scenario is during a cyberattack when a group breaches security policies to steal personal information However it can also happen if an unauthorized member of an organization accesses or discloses personal information ppWhen PIPEDA says personal information it refers to ppThe unauthorized disclosure of any of this information will trigger data breach notification law ppppCompliance with PIPEDA is required on any commercial activities of organizations Strictly speaking nonprofit organizations that do not engage in commercial activities are exempt However compliance is required if the nonprofit participates in selling bartering or leasing of donor membership or other fundraising lists ppCertain provinces and territories follow their specific data breach notification law This includes ppOrganizations operating under these provinces or territories do not fall under PIPEDA They must follow their own provincialterritorial laws  ppThe healthcare sector in these provinces also follow special laws for data protection ppThese overlapping jurisdictions can cause problems in cases filed based on the data breach notification law Theres often a need for excellent lawyers who can consolidate different provincial laws ppWhat about crossborder organizations handling personal information in commercial activities For these organizations PIPEDA applies However its best to consult crossborder lawyers for these instances especially if the data owner is a resident of another country ppData breach notification law does not have specifics on how to approach security measures It does have general guidelines that organizations are expected to follow Heres a brief overview of these principles ppOrganizations are responsible for personal information they collect and control Even if the information is processed by a third party the organization is responsible for any breach Its necessary to enter into a contract with the thirdparty processor to ensure that they also comply with PIPEDA  ppThe law also requires the designation of a person who shall be primarily responsible for compliance with PIPEDA This person maintains responsibility even if other individuals are responsible for daily collection or processing of data ppOrganizations will identify the purpose of collecting personal information The data owner must be informed of the purpose at the time of collection The purpose of collection will determine and justify what information is being asked For example the collection of a credit card company doesnt really necessitate information on ethnic origin ppThe data owner must consent to the collection or disclosure of their data This consent is limited to the purpose of the collection So if the data is used for any other purpose separate consent must be given PIPEDA requires meaningful consent This means that the data owner must understand how the information will be used or disclosed ppConsent can be given in various ways ppConsent may also be withdrawn except if a contract or law prohibits it ppThe data collected must be limited to the purpose of the collection This relates to the principle of identification of purpose Under PIPEDA the collection must be for fair and lawful means which is intended to prevent collection through misleading or deceiving methods ppHeres a brief overview about limiting collection as a principle of PIPEDA Canada ppppThe purpose of collection is critical because it guides all other activities related to the data The use and disclosure of the information should always be for the actual purpose of its collection  The data must also be kept by the organization only as long as it serves the purpose Otherwise they are in violation of PIPEDA ppBut how long should they keep the information PIPEDA doesnt specify that Instead organizations are required to make their own guidelines and procedures for storage They must be prepared to justify this decision in the event of a complaint ppPersonal information should be accurate and up to date The extent of accuracy and freshness of the information depends on how that information is used For information disclosed to third parties or consistently used accuracy and freshness are critical ppA classic example would be credit information affecting a persons credit score Delayed updates on a persons payment could impact credit scores This could then decrease their borrowing power especially for big purchases like a house loan or a car loan Organizations concerned with these transactions must be accurate with their reports ppAll organizations must establish security safeguards for protection of personal information The extent of these safeguards depends on the sensitivity of the information PIPEDA even includes possible methods of protection which can be ppData breach notification law also requires informing employees of the importance of handling personal information pp ppppOrganizations are required to be open about policies and practices related to personal information If people want to find out about these policies then the information should be readily available The information should also include the name of the person designated under the data breach notification law ppOther information displayed should be ppData owners upon request and proof should be able to access their own information They should also be informed of its use and disclosure if they ask to find out If they find any inaccuracies they can challenge this information and have it corrected upon proof  ppThe right to access isnt always available There are some exceptions In this case the organization is duty bound to tell the data owner why access is denied ppFinally the last principle under the data breach notification law lets the data owner challenge organizations  ppPeople can file complaints with the organization if it doesnt comply with PIPEDA or any of these principles A complaint may be filed with the organization first so that they can investigate and address these matters at their level ppThe role of a data privacy breach lawyer is to make sure all these principles are followed by an organization ppData breach of personal information is taken seriously by the Canadian government Under PIPEDA the organization where the breach occurred must notify the persons whose information was leaked ppThe reaction after a data breach is therefore twofold Theres the acts of the organization and the acts of the data owner ppData breach notification law requires that the organization inform data owners of the data breach right away However not all data breaches should be reported Instead the organization must determine if it is reasonable to believe that there is a real risk of significant harm RROSH to the person ppSignificant harm can mean ppTo decide if the data breach can cause significant harm the following factors are considered ppThe decision to notify data owners is therefore discretionary If your organization does not see a reasonable risk of significant harm then following the data breach notification law may not be necessary But what if it is necessary When should you notify people ppThe data breach notification law does not set a limit Instead it says that your organization must inform the data owner as soon as feasible from the moment of discovery Notify them in a clear direct way The notification should also include information that lets the data owner understand the significance of the breach and minimize harm ppIndirect notification is also possible However this is only allowed if ppOther than the data owner the organizations must also inform the Office of the Data Commissioner OPC using their prescribed form  ppUnder the data breach notification law the alert should contain the following ppOnce the data owner finds out about the data breach they can take some steps to protect themselves This can include changing passwords or setting up twofactor authentication They can also freeze their credit and report any unauthorized transactions to the bank ppHere are some of the tips that organizations can include in their notification to help data owners protect themselves after a breach ppppYes Violation of the data breach notification law lets any person file a complaint against the organization that committed the violation  ppThere are two approaches to data breach complaints First is a complaint against the organization for failure to notify The second is a complaint because the organization did not follow the principles ppComplaints for violation of the data breach notification law are filed before the Office of the Privacy Commissioner OPC The Commissioner then decides if it will investigate based on the available evidence If the commissioner investigates they will make a report and give it to the complainant ppSo what can the complainant do after the report They can file it before the federal court for a decision Even if the OPC does not issue penalties for violations under the data breach notification law the courts can ppThe demand for data breach notification law is to protect data owners However security problems can also place organizations in very poor light not to mention subject them to staggering penalties Going above and beyond with data privacy is therefore the better course of action for organizations ppFor added security in your operations check out our directory of Lexpertranked best law firms for data protection and privacy in Canada This page lets you find specific firms based on jurisdiction especially if you are operating in areas like Alberta with its own privacy laws p