There are 98 Sections to the ACT RESPECTING THE PROTECTION OF PERSONAL INFORMATION IN THE PRIVATE SECTOR that were impacted by the passing of Bill 64 in September of 2021. Some are similar to obligations within PIPEDA, but these obligations will be strongly enforced by the CAI in Quebec. As it was written back in 1999, PIPEDA does not have a method for strong enforcement within the Act, which is one of the many reasons the Privacy Commissioner of Canada has been begging for updates in Canada’s privacy legislation. Yet again, the Federal government has ignored, or at best paid lip service to these pleas leaving Quebec to step up with tough new legislation to protect its citizen’s personal information. With this development, we can expect revisions to PIPEDA this year. It remains to be seen if PIPEDA will provide the same protection for all Canadians as Bill 64 does for Quebec citizens.
It is easy to take the position that your organization is not located in Quebec so PPIPS does not apply, but the scope includes any organization who collects, uses, shares and stores personal data of Quebec citizens. According to Canada Population, Quebec accounts for 22.5% of the country’s population.
Any organization that operates in Canada knows that 20-25% of the data you collect belongs to a resident of Quebec, so any organization that operates in Canada must comply with PPIPS.
This new law comes into force in 3 distinct stages, the first one coming in September 2022. Most of these first 25 Corporate Obligations will come into force this year. The team here at Newport Thomson is scouring the 98 Sections of PPIPS to determine all of the new obligations for organizations who deal with personal data, but for starters, here are the first 25:
- Protect Personal data the organization captures, stores, shares or uses (Sec 3.1) Every investigation the CAI conducts will include their assessment of your organization’s effort to protect personal information in your care. RECOMMENDATION: Do a detailed inventory of all PI held or planning to be collected by your organization. Any fields you are not using you should delete. While data is considered an asset by most, these new data protection and privacy laws may transform this personal data to a liability. Be sure you are using what you collect and you are only collecting what you intend to use. We also recommend centralizing and securing this data. Too many copies in a variety of formats can dramatically increase the chance of having a Confidentiality Incident (a data or privacy breach) while making it extremely difficult for your security team to protect effectively.
- CEO must Appoint a Privacy Manager (Sec 3.1). Quebec holds the “highest authority” in the organization accountable to see that this “Act is implemented and complied with”. It is clear they intend to hold the CEO accountable for all personal information that is collected, used, shared or stored, and for the security of that data. Should we brace ourselves for some stiff personal fines to CEOs next Fall and in the Spring of 2023? RECOMMENDATION: CEOs must understand what PI is being collected, used, shared and stored by the organization at all times. Appointing a capable Privacy Manager and setting up a reporting process with operational detail should be implemented as soon as possible.
- Publicly display the Privacy Managers contact info on the copy website(s). The new privacy standard in Canada includes a requirement to publicly post your Privacy Manager’s name and contact information so they are easily reached. It is suggested this be placed on the corporate website in an obvious spot (base bar?)
- establish Privacy Policies and Procedures (Sec 3.2). This is no longer a “nice to have”. This is now a “must have”. Organizations who do not have a Privacy & Security Policies and Procedures Manual will likely receive a fine if investigated by the CAI.
- Publish those policies and procedures on corp website(s). Your Privacy Manager must arrange the publishing of your Privacy Policies and Procedures. We have an excellent structure here at Newport Thomson, including templates that we are currently automating so any size organization can log in, set up their Manual and allow their staff (and public) to view the details.
- Conduct DPIAs for all new “information system project or electronic service delivery project involving PI (Sec 3.3). Any time a significant change is made to your system or new software is added to your network, a Data Protection Impact Assessment (DPIA) must be completed. For those not familiar with a DPIA they help an organization fully understand the data they are collecting, using, storing, sharing and deleting. A DPIA forces the organization to thoroughly think their data governance through, understanding the potential impact on the individual’s personal data they hold.
- The Privacy Manager must be involved in the DPIA process (Sec 3.2). This must be lead by the Privacy Manager, not simply delegated to a convenient staffer or contractor. Many consultants are very familiar with this process and can be a key part of it, butte Privacy Manager is in the lead.
- All data must be kept in a “structured, commonly used technical format” (Sec 3.3). In the past, organizations have used formats to make it far more difficult, even impossible, for organizations to transfer a person’s personal data to a competitor at the request of the individual. That stops now. This is something we expect to see a lot of fines for under Bill 64. As it is the final issue to come into force, organizations do have some time to figure this out, but Privacy Managers are best to start planning how to do this. It is a key part of the compliance journey.
- Take reasonable measures to “reduce the risk of injury” of Confidentiality Incidents (Sec 3.5). As soon as a Confidentiality Incident, that has the potential for “serious risk of injury” to the individuals involved, is reported, the organization should communicate to all individuals involved how they might mitigate any serious injury.
- Incidents that could result in a “risk of serious injury” must be reported to the Commission d’accès à l’information (CAI). These types of Confidentiality Incidents must be reported to the CAI immediately. The GDPR says within 72 hours. Bill 64 and PIPEDA says within a “reasonable timeframe”.
- If an incident involves the possibility of a risk of serious injury, the Data Subjects must be informed and told what they can do to minimize the risks. – unless it could hamper an investigation. (Sec 3.5).If revealing the incident to the public could potential worsen the situation, the “reasonable timeframe” can be moved out until it is safe to do so.
- All communication documents (to the CAI or Data Subjects) must be retained and stored. (Sec 3.5).As there has been no enforced requirement to communicate, most organizations do not have a process in place to do so. We recommend the Privacy Manager create this process and write policies & procedures that would be included in the Privacy & Security Manual. These procedures should include a simple method of logging this information in a manner that makes it easy to retrieve when required to do so.
- …
