With data breaches and hacks on the rise, it’s more critical than ever for governments to protect their citizens and their businesses from cybercrime. These criminals are becoming increasingly sophisticated, which enables them to sneak into a computer system without being detected. When a breach is detected, do businesses know how to react? Has the federal government instituted laws that are sufficient to deal with the situation?
According to Daniel Therrien, Canada’s privacy commissioner, the country is “sadly falling behind what is the norm in other countries” with respect to the Canadian online privacy laws.
The country has two primary privacy laws. These are the Digital Privacy Act of 2015 and the Personal Information Protection and Electronic Documents Act, or PIPEDA. Both laws are overseen and enforced by the privacy commissioner.
Therrien noted in a report to Parliament in September 2018 that his office doesn’t have the enforcement powers that it needs to support these laws. He cites that, in particular, his office needs the power to inspect and audit companies that work in tandem with the federal government.
Citing the relative permissiveness of Canadian online privacy laws, Therrien argues that it isn’t enough to expect companies to do the right thing where privacy is concerned. Instead, consumers need strong federal laws to protect them.
Let’s understand the current Canadian online privacy laws
1. The GDPR
Privacy experts in Canada are looking to Europe for guidance. With its General Data Protection Regulation having come into effect on May 25, 2018, Europe is leading the way with privacy legislation. The GDPR gives ordinary citizens control over their personal data and how it’s used. Organizations are required to obtain clear and proactive consent and provide full disclosure when it comes to personal data.
Taking a cue from Europe, Canada is now making amendments to PIPEDA. These changes will affect virtually all commercial operations within Canadian borders. Among the most significant of these changes is the requirement for mandatory breach reporting and the keeping of comprehensive records during a breach incident.
An organization that experiences a breach will be required under the amendments to report the breach to individuals who may suffer harm as a result of the breach and to the privacy commissioner.
The office of the privacy commissioner has already stated that most Canadian organizations are woefully unprepared when it comes to complying with the new aspects of the law. This is a serious concern with breaches happening on a regular basis and a growing distrust among the populace when it comes to placing their private information in the hands of businesses.
2. Mandatory Breach Reporting
When individuals are placed at “real risk of significant harm” by a data breach, companies will be required to inform these individuals of the breach. “Significant harm” may include identity theft, loss of employment, damage to personal or professional reputation or humiliation. “Real risk” is determined by considerations such as the sensitivity of the data put at risk and the likelihood of the misuse of the data.
The company must include certain details in their reporting to individuals. These details include the circumstances of the breach and when it occurred in addition to what specific information may have been divulged in the breach. Victims must be informed of what steps the company is taking to address the issue and be provided with contact information for the organization so that they can obtain updated information about the recovery efforts.
3. Written Reports to the Privacy Commissioner
After a breach, organizations must provide a written report to the privacy commissioner explaining how the breach happened and reporting how many people may be affected. They also must disclose what data was compromised and their strategy for informing the affected individuals as well as what steps they are taking to address the problem.
4. Updates to Recordkeeping Requirements
New stipulations require organizations to begin keeping comprehensive records from the moment that a data breach is recovered. These records must be maintained for a minimum of 24 months. The privacy commissioner is empowered to review these records at any time, which makes their completeness and accuracy critical. If the records are reviewed and found to be insufficient, then the commissioner is empowered to penalize the company.
It is becoming increasingly clear that companies must do everything they can to ensure the security of their computer systems and to have a strategy in place so that they can respond appropriately when a breach occurs. Privacy Canada helps individuals and organizations across the country to protect themselves in the online world.