On June 18, 2015, Bill S-4, better known as the Digital Privacy Act(DPA), received Royal Assent and is now law, although several sections have yet to come into force. The DPA makes significant changes to the Personal Information Protection and Electronic Documents Act (PIPEDA), including requiring mandatory breach reporting to both the Privacy Commissioner and the affected individuals, and instituting additional fines up to $100,000. Employers and other organizations should be aware of these amendments, and evaluate their privacy policies and safeguards in light of the changes introduced in the DPA.
Key amendments to PIPEDA that employers and organizations should be aware of:
- The definition of “consent” has changed:
While PIPEDA specified that knowledge and consent were required, the DPA adds the additional requirement that it must be reasonable to expect that the individual understands what they are consenting to, i.e. that they understand the nature, purpose and consequences of the collection, use or disclosure. Clear, simple language should be used when requesting consent, particularly when dealing with vulnerable populations such as children.
- Breach reporting to the Commissioner will become mandatory: (not yet in force)
The DPA introduces, for the first time, mandatory reporting at the federal level in Canada. The Commissioner must be notified of any breach that creates a real risk of significant harm to an individual. The definition of significant harm is broad, and includes bodily harm, humiliation and damage to reputation as well as identity theft and financial loss, among others. The breach must be reported “as soon as feasible”, although how the Commissioner evaluates what constitutes an appropriate timeframe has yet to be determined. This requirement will come into force by Order in Council, on an unspecified day.
- Organizations will be reported to report breaches to the impacted individuals: (not yet in force)
All individuals who may reasonably face a real risk of significant harm from the breach must also be notified directly and “as soon as feasible” following the breach. This notification must allow the individual to understand how the breach may impact them and what steps they can take to reduce or mitigate the risk, as the case may be. This requirement will come into force by Order in Council, on an unspecified day.
- The Commissioner may report breaches to the public:
Prior to the DPA, the Commissioner had a narrow power to make any information relating to personal information management practices public if it was in the public interest. The DPA significantly broadens this power to include any information that comes to the Commissioner’s knowledge during the exercise of their powers or duties.
- Failure to report a breach or a lack of record-keeping may result in significant fines:
The DPA introduces fines of up to $100,000 for failing to report any breach to both the Commissioner and the impacted individual as soon as feasible after the breach. Organizations may also be fined up to $100,000 for failing to maintain records of any breach. It is not yet clear how these provisions will be interpreted – whether the $100,000 limit would apply per organization, per breach event, per individual affected, or in some other way. For example, if ten subscribers’ personal information was taken from an organization on two different days, and the breaches were not reported, the maximum fine might be $100,000, $200,000, $1,000,000 or possibly some other number.
Of potential benefit to employers, the DPA expanded the exceptions for when organizations may validly disclose personal information without knowledge or consent. For example, information produced by the individual in the course of employment may now be disclosed as long as it is used in a consistent manner. Additionally, organizations party to prospective business transactions may now use and disclose personal information necessary to a transaction, subject to an agreement to protect that information and destroy it if the transaction does not proceed.
Tips for Employers and Organizations:
- Review existing consent forms to ensure that the language is clear, particularly when dealing with vulnerable populations, and re-obtain consent if need
- Review and update privacy policies and security safeguards to address reporting procedures.
- Ensure that privacy policies address record-keeping, and that employees know how to proceed should a privacy breach occur.
- As a general tip, privacy policies and security safeguards should be monitored and updated on a regular basis to ensure they are current and are still being followed.
To learn more about the DPA, and to find out if and how it might apply to your business, please contact us.