Digital Privacy Act, SC 2015, c 32
What is the Digital Privacy Act? The Digital Privacy Act (DPA) was given Royal Assent in 2015, significantly amending the Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA is a federal Act that governs the way organizations in the private sector collect, use, and disclose the personal information of Canadians in the course of business. The amendments made by the DPA include specific language regarding consent, the powers of the Federal Privacy Commissioner, the scope of the amendments and privacy breaches.
While many amendments came into force in 2015, the regulations relating to privacy breaches were still in the developing stages. The upcoming regulations, as is the case with PIPEDA, will apply to federal works, undertakings, and businesses, and in provinces without a substantially similar private sector privacy legislation. Newfoundland and Labrador’s Personal Health Information Act (PHIA) is substantially similar to PIPEDA, but the PHIA only applies to health information custodians, who are persons in control of personal health information because of their powers, duties, or professional position. There is a second piece of Newfoundland and Labrador legislation that relates to privacy, the Access to Information and Protection of Privacy Act (ATIPPA), but it is not considered to be substantially similar to PIPEDA.
Now, just over three years after Royal Assent, the DPA regulations are ready and will come into effect on November 1, 2018. The question is… are you ready?
What are the new provisions of the DPA? The provisions of the DPA coming into force in November outline the reporting requirements that organizations must abide by if a security breach occurs. Under the regulations, organizations must notify both the affected individual and the federal Privacy Commissioner if a data breach occurs and it poses a “real risk of significant harm.” Under the DPA regulations, affected individuals must be notified as soon as it is feasible to do so, and the organization must maintain a record of the breach for a two-year period after the day the breach was discovered.
How Does the DPA Define “Significant Harm”? The DPA defines significant harm as follows:
Bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.
The DPA outlines several factors that are relevant to organizations in determining whether a real risk of significant harm has been created. These include:
How should affected individuals be notified? Affected individuals must be notified directly either in person, by telephone, mail, email, or by any other form of direct communication that a reasonable person would consider appropriate.
The regulations also considered situations where direct notification is not possible. In circumstances where:
What should be included in the notifications? As previously mentioned, the DPA requires organizations to report a privacy breach to the affected person and to the Federal Privacy Commissioner.
Notification to the affected individuals must include:
Notification to the Privacy Commissioner must be in written form and must include:
What are the Penalties for Non-Compliance with the new provisions of the DPA? Enforcement of the DPA regulations will fall to the Federal Privacy Commissioner who is responsible for providing oversight and investigating complaints under PIPEDA. In cases of willful and deliberate contravention of the DPA requirements, new offences and fines have been imposed by the DPA. As is the case with similar offences under PIPEDA, courts may impose those fines and order organizations to change their practices if they are not compliant.
Counting Down to November 1st… The DPA regulations will come into effect on November 1st. Organizations should review the materials published online by the Office of the Privacy Commissioner regarding voluntary reporting of data breaches and update their policies and procedures accordingly to ensure compliance.