As someone practicing for several years in the field of privacy law, I am asked to provide advice and to answer a variety of questions from both clients and other legal professionals on a myriad of privacy, access to information, and cyber liability related topics. The purpose of this article is to provide insight into some of the frequently asked questions. The questions outlined below are intended to address the concerns of a commercial entity or business (an organization) who is subject to the provisions of the Personal Information Protection and Electronic Documents Act, S.C. 2000 c. 5 (PIPEDA).
Can an organization transfer the personal information that it has collected from its customers to a third-party organization outside of the jurisdiction, for processing or storage?
PIPEDA permits the transfer of data including personal information collected by a Canadian organization to an organization in another jurisdiction for processing.
Under PIPEDA, Canadian organizations are held accountable for the protection of the personal information that is transferred. Principle 4.1.3 of Schedule 1 of PIPEDA provides: “An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing”.
PIPEDA does not distinguish between domestic and international transfers of data. Where a Canadian organization transfers personal information to another Canadian organization or to an international organization, the Canadian organization remains responsible for ensuring a comparable level of protection while the information is being protected.
PIPEDA further stipulates that the organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.
Data Sharing or Data Usage Agreements or appropriate provisions in other contractual agreements setting out the responsibilities of the respective parties in any case where personal information is to be transferred and delineating the protections afforded the data are key.
A Data Sharing or Data Usage Agreement should be in place before any transfer of personal information takes place.
In the interests of transparency and accountability and ensuing that an organization's customers are aware that a transfer of their personal information for processing may occur we recommend a concurrent review and if necessary, amendments and updates to the organization's privacy policy or privacy statement.
The Office of the Privacy Commissioner of Canada (OPC) can investigate complaints and audit the personal information practices of organizations. This would include investigations to determine if comparable levels of protection exist while the information is being processed by a third party.
Does Quebec's Law 25 apply to my business?
Quebec's Act to modernize legislative provisions as regards the protection of personal information (“Law 25”) may in fact apply to your business or your client's business even though the business is not actually located in Quebec. Any organization or business that collects personal information from a Quebec resident, notwithstanding that the business or organization is not physically located in Quebec will be affected by Law 25.
Furthermore, Law 25 applies to an “enterprise … carrying on organized economic activity” which can include non-commercial as well as commercial activities and apply to not-for-profit and for-profit organizations.
Law 25 closely resembles the EU's General Data Protection Regulation (GDPR) and when compared to PIPEDA imposes more onerous requirements on an organization including expansive data subject rights and poses a greater potential for liability and if liability is established significantly higher administrative penalties than exist under PIPEDA.
If Law 25 applies to your organization or your client's organization a review of the organization's privacy and data collection practice is imperative to ensure the organization is compliant.
Assessing when to file a Breach Notification Report with the OPC.
Regardless of how careful an organization is with respect to its privacy and data security policies and procedures, privacy breaches can and invariably do happen. Examples can include having a computer or smart phone stolen from an employee's home or vehicle, inadvertently emailing personal information to an incorrect email address, an employee snooping incident or a hacking or phishing event.
Learning that a privacy breach has occurred can be an upsetting experience for an organization. The questions of what to do, who to notify and how do we prevent this from occurring again often arise. Often questions and concerns about reputation, potential adverse media attention, what will the OPC do if we file a breach notification report or will my business have to pay a fine exist.
As a privacy lawyer, I can assist your organization when a privacy breach occurs and can assist in assessing whether it is necessary for the organization to file a Breach Notification Report with the OPC.
PIPEDA requires organizations to keep records of all breaches of security safeguards, report breaches of security safeguards involving personal information that pose a real risk of significant harm to individuals and to notify affected individuals about those breaches.
Significant harm is defined as including bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.
In assessing whether the breach incident poses a real risk of significant harm to the individual the following considerations apply:
- the sensitivity of the personal information involved in the breach; and
- the probability that the personal information has been, is being, or will be, misused.
Some information such as medical and income/financial records will always be considered sensitive. In some cases, sensitivity maybe depend on the context. It is important to consider both the natura and type of personal information that has been breached and the circumstances of the breach.
Again, assessing the probability of misuse involves a consideration of several factors including, inter alia, what happened and how likely it is that someone will be harmed by the breach, evidence of malicious intent, has any harm materialized to date, has the personal information been recovered, etc.
As a privacy lawyer I can assist your business organization in determining the sensitivity of the information breached and in the assessment of the probability of misuse. Often a call to a privacy lawyer such as myself can ease the client's concerns and provide reassurance that the organization is appropriately addressing the privacy breach incident. I can also support the client or organization in completing and filing the breach notification report.
Conclusion
Seeking the advice of a privacy lawyer can add value to your business or your client's business. Not only do I deal with questions and concerns arising from PIPEDA, federal access to information requests and CSAL requirements but I am also available to address provincial privacy and access to information concerns as well as to provide general privacy and confidentiality advice.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.