Canada’s Digital Privacy Act is an amendment to PIPEDA and as of November 1st, 2018 has added requirements that should cause Canadian businesses that handle customer information to look at their current data protection safeguards (or lack thereof).
The new rules starting November 1st, 2018, require some changes to the Digital Privacy Act in Canada which all businesses (not just those who directly work with data) must be aware of. The biggest change is an organizations requirement to “Record, Report and Notify”. When there is a breach of security safeguards that “creates a real risk of significant harm to an individual’s personal information” this requires a compliant company to report and notify. However, the new record keeping obligation is triggered by ANY breach of security safeguards no matter how trivial or insignificant the breach is.
So what amounts to a breach of security safeguards? Well, currently the primary rules surrounding data protection include :
- All client data is protected, encrypted and restricted while in transit, in use or in storage.
- All client data is protected from both internal and external threats.
- All client data is stored and secured on site.
- All client data retention polices are adhered to.
- All PIPEDA data retention polices are adhered to.
For a better understanding of what a breach is, the act defines it as follows:
“the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards or from a failure to establish those safeguards.
In short, there must be a loss of, unauthorized access to, or unauthorized disclosure of, personal information that’s either caused by a breach of security safeguards, or that’s the result of not having safeguards in place. Under this new definition of a “breach of security safeguards”, each of these common scenarios is a breach of which the organization must make and maintain a record, and evaluate for purposes of reporting and notification:
- An employee violates the employer’s “clean desk policy”, and a co-worker from another department sees a customer record.
- An employee allows their child to use their smart phone, which also contains customer information.
- An employee flying on a business trip decides to use the plane time to work on a report, and the passenger behind them can see the employee’s laptop screen.
As you can see the examples above are VERY broad in scope and that’s the key. Any time you feel there may have been a breach of our security safeguards it is your responsibility to report that to the privacy officer at your company (which you are now required to have), no matter HOW SMALL the breach may be.
As you can see there is a very high standard now for ensuring data in your care is kept secure and with fines of up to $100,000 for non-compliance it may be time to review your own data security safeguards.
Reach out to us for more information on how JR Direct can help safeguard your data, maintain compliance, and help you avoid potential data breaches.