In an increasingly digital world, personal information is becoming harder to protect. In response, many countries have developed and enacted privacy laws to strike a balance between information collection and an individuals’ right to privacy. Sometimes, the landscape of laws can be complex; Canadian data privacy laws, in particular, range from federal to province-specific.
Various governmental agencies and organizations are responsible for monitoring compliance with these laws. Every jurisdiction in Canada – federal, provincial, or territorial – has an independent Information and Privacy Commissioner who manages the data protection laws in their jurisdiction and reports to their legislature. These laws affect organizations of all sizes across a variety of industries, from finance and healthcare to education and technology. So which should you be most concerned about, and how can you ensure compliance?
Table of Contents
Federal Canadian data privacy laws
Canada’s federal privacy-related legislation aims to protect citizens’ privacy by regulating how entities handle personal information. Nationwide Canadian data privacy laws include:
- The Privacy Act. This Act controls how federal government agencies manage personal information and gives individuals the right to access any of their information held by the federal government. The Privacy Act established the Office of the Privacy Commissioner of Canada (OPC), who is an Officer of Parliament. The Privacy Commissioner can audit governmental institutions and has the power to investigate complaints.
- The Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA governs how private sector businesses handle personal information; it requires the consumer to explicitly consent to the collection, use, or disclosure of their data. Plus, individuals have the right to access their information and make changes. The OPC also oversees this Act because it applies to federally regulated businesses in industries like banking, airline travel, and telecommunications. Any business that collects personal information about Canadian citizens is subject to this law, regardless of whether they have a physical presence in the country.
These laws apply to any personal data, managed in the cloud or otherwise.
PIPEDA does not prevent the transfer of personal data from one organization to another in a different jurisdiction for processing. However, the law does mandate certain aspects of the transfers, such as how the data can be collected, stored, used, or disclosed. Therefore, cloud providers and users need to familiarize themselves with the limitations PIPEDA places upon data management. Non-Canadian cloud providers, if they have a substantial connection to Canadian citizens, may also be subject to PIPEDA.
Under PIPEDA, security breach notifications are voluntary but expected. Notification must be provided to the Privacy Commissioner of Canada and affected individuals. Per the guidelines set forth by the Federal Privacy Commissioner, organizations should take four steps to address a security breach:
- Contain: Identify and contain the breach as best as possible
- Evaluate: Evaluate the damage and identify the cause
- Notify: Determine who needs to be notified (OPC reports are only mandatory if the breach creates a real risk of significant harm [RROSH] to an individual)
- Prevent: Devise methods of preventing future data breaches
Even where province-specific legislation supersedes PIPEDA, federal works, undertakings, or businesses (FWUBs) are subject to PIPEDA. Organizations in the Northwest Territories, Yukon, and Nunavut are also considered FWUBs.
Health privacy laws in Ontario, New Brunswick, Newfoundland and Labrador, and Nova Scotia are substantially similar enough to PIPEDA that PIPEDA doesn’t apply to private health providers in those regions. Commercial organizations in those jurisdictions must comply with PIPEDA.
Provincial privacy laws
In addition to Canada’s federal laws, many provinces have privacy laws that may override or expand on federal legislation. PIPEDA offers exemptions for businesses in provinces with substantially similar laws (Alberta, British Columbia, and Quebec) unless the information crosses national or provincial borders. Other provinces have laws that partially exempt them from PIPEDA, as well; in those provinces, PIPEDA applies to private sector institutions, while public sector organizations comply with province-based legislation.
British Columbia and Alberta privacy laws
To protect individual privacy, British Columbia’s and Alberta’s Personal Information Protection Acts (PIPAs) require private sector organizations to obtain consent for the collection, use, and disclosure of personal information. These laws give individuals the right to access their personal information upon request. In both provinces, these acts apply to organizations in the private sector, including incorporated and unincorporated businesses, partnerships, and trade unions. In Alberta, PIPA also applies to non-profit and professional regulatory organizations, and British Columbia’s PIPA also applies to non-profit organizations and trusts. Non-compliance of either Act may incur a fine of no more than $10,000 in the case of an individual, or no more than $100,000 for organizations.
New Brunswick privacy laws
Private-sector organizations in New Brunswick fall under PIPEDA coverage, but public sector legislation includes the Right to Information and Protection of Privacy Act (RTIPPA) and the Personal Health Information Privacy and Access Act (PHIPAA).
RTIPPA protects individuals’ personal information held by public institutions by giving people the right to access their records and request corrections. The act also controls how institutions can collect data. Not complying with RTIPPA is a category F offense, which can lead to fines of no less than $240 and no more than $10,200. Multiple or subsequent convictions of category F offenses can lead to a maximum fine of $15,000 and possible imprisonment for individuals or an additional $9,000 fine for organizations.
PHIPAA applies to healthcare custodians in public and private sectors of New Brunswick. This act gives patients the right to access their personal health information and request modifications. It also regulates the collection, storage, use, disclosure, and destruction of personal health information by health custodians. Breaching PHIPAA is also considered a category F offense, subject to the same penalties as RTIPPA.
Newfoundland & Labrador privacy laws
PIPEDA covers the private sector in Newfoundland and Labrador, while the Personal Health Information Act (PHIA) and the Access to Information and Protection of Privacy Act (ATIPP) cover the public sector. PHIA regulates how health custodians manage personal health information. ATIPP applies to public bodies and gives citizens the right to access their records while controlling how public bodies collect, use, and disclose personal information. Non-compliance of PHIA or ATIPP may incur fines of up to $10,000, imprisonment for up to six months, or both.
Nova Scotia privacy laws
Nova Scotia’s private sector organizations are also subject to PIPEDA, while the public sector falls under the umbrella of the Personal Health Information Act (PHIA) and the Freedom of Information and Protection of Privacy Act (FOIPOP).
PHIA mandates the collection, use, storage, disclosure, and disposal of personal health information by health custodians. Individual penalties for not complying with PHIA may include fines up to $10,000, imprisonment for six months, or both. Corporation penalties for not complying with PHIA may include fines up to $50,000, and individuals involved may face additional individual penalties.
FOIPOP allows individuals to access their personal information held by the Nova Scotian government and protects the privacy of those who don’t want their personal information made public. This law applies to hospitals, public bodies, municipalities, and universities. Offenses of this act may incur penalties of up to $2,000, imprisonment for six months, or both.
The Personal Information International Disclosure Protection Act (PIIDPA) protects Nova Scotians from personal data disclosure outside of Canada, and the Privacy Review Officer Act gives review officers the power to investigate privacy breaches. Breaching PIIDPA may incur fines of as much as $500,000 or imprisonment, depending on whether the offender is an individual, a service provider, or a corporation.
Ontario privacy laws
Personal information and personal health information are considered separately under Ontario’s data privacy laws. Ontario’s access and privacy laws protecting personal information include the Freedom of Information and Protection of Privacy Act (FIPPA) and the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA). FIPPA covers Ontario governmental institutions, while MFIPPA covers municipal organizations, such as local boards and commissions or metropolitan, regional, and district municipalities.
FIPPA and MFIPPA give individuals the right to access certain records and personal information held by institutions. These laws address the collection, storage, use, and disclosure of personal information by organizations. Neither FIPPA or MFIPPA require consent if the collection of data falls within certain legal guidelines. It is necessary, however, to notify individuals when collecting their personal information. Non-compliance with FIPPA or MFIPPA can incur fines of up to $5,000 per offender.
Ontario’s Personal Health Information Protection Act (PHIPA) regulates the collection, use, and disclosure of personal health information and requires individual consent. This law applies to health information custodians, which includes individuals like doctors and nurses, as well as organizations like hospitals and pharmacies in Ontario. Non-compliance may incur fees of up to $100,000 for individuals and $500,000 for non-individuals like corporations.
Quebec privacy laws
Quebec’s province-specific privacy law is known as the “Act Respecting the Protection of Personal Information in the Private Sector.” This law establishes and regulates how private sector businesses can collect, store, use, and communicate personal information. This Act defines “personal information” as any individually identifiable data in any format, whether written, visual, filmed, taped, digital, or otherwise. Not complying with the Act may lead to fines of as much as $100,000, depending on the number of offenses.
International privacy laws and security frameworks applicable to Canadian businesses
GDPR in Canada
Whether based in Ontario or Tokyo, any entity that collects, uses, discloses, or stores personal data of individuals living in the EU must comply with the EU General Data Protection Regulation (GDPR) — regardless of where the actual data processing occurs. Therefore, Canadian organizations that interact with European citizens must familiarize themselves with GDPR and how they need to manage personal information.
To comply with GDPR, organizations must be able to show a complete chain of custody for personal information. This includes who collected the data, who has access to it, and where it’s stored or processed. GDPR also requires organizations to provide individuals with access to their data upon request. To evaluate compliance with GDPR, most Canadian institutions begin with a thorough audit of their data management solutions.
Non-compliance with GDPR can lead to hefty fines; the maximum penalty incurs fines of either €20 million or four percent of total global turnover, whichever is higher. This penalty doesn’t account for other damages like lost trust or reputational harm, both of which can have a significant negative impact on organizations.
NIST and ISO frameworks in Canada
Other worldwide security standards that influence Canadian policies include NIST and ISO. Organizations can utilize these frameworks to manage and secure their information assets, including financial data, intellectual property, personal information, and other sensitive data.
The National Institute of Standards and Technology (NIST) supplies a framework for cybersecurity and privacy guidelines for private sector organizations in the United States. The goal of the NIST cybersecurity framework is to outline how organizations can identify, protect, detect, respond to, and recover from cyber attacks and data breaches. While it originates in the United States, many other countries have adopted and translated the five-part framework. Public Safety Canada endorses the NIST framework for cybersecurity, but adherence is not legally required in the country.
Another security framework, ISO/IEC 27001, is an international standard for information security management systems (ISMS). Based in Switzerland, the ISO (International Organization for Standardization) created a framework of standards and best practices for organizations to help keep information secure. This framework is not compulsory in Canada, but many top organizations pursue certification to minimize security risks, secure trust, and promote privacy.
Protecting data and ensuring privacy in Canada – what does it mean for organizations?
Canadian entities, whether private or public sector, have multiple privacy and security-related laws and regulations to abide by. This means your organization may have compliance standards to meet if you store data, especially in the cloud.
To evaluate compliance with international and Canadian data privacy laws, begin with an in-depth privacy audit. Assess procedures related to personal information (including data collection, usage, and disposal) and audit the cloud programs you use to manage data. Cloud security and monitoring are essential parts of any organization’s security posture, and the surest way to safeguard sensitive data is to deploy multiple forms of defense.
Overall, Canada’s data protection efforts are strong; with PIPEDA and other legislation, the country is positioned as one of the top countries for comprehensive privacy laws. The legal guidelines reflect Canadian sentiment on privacy and security, and Canadian citizens can confidently progress into a cloud-based world knowing that organizations are accountable for personal data security.