You have likely heard of the General Data Protection Regulation (GDPR), and you probably refer to this standard whenever the topic of privacy and data processing arises. But what about outside of the EU? The Office of the Privacy Commissioner of Canada (Commissariat à la protection de la vie privée du Canada) has a twitter account that shares information regarding privacy and an individual’s rights in Canada.
Check out our educational poster on protecting privacy online. While it is aimed at youth in grades 4-6, it’s a good reminder for all of us! https://t.co/9a69NIUXa5 pic.twitter.com/u1VuNsDcXT
— OPC (@PrivacyPrivee) January 8, 2020
I like the content they share, as it demystifies rights for adults and even children. I have also found their content has even taught me a few things. What I wasn’t aware of was the Personal Information Protection and Electronic Documents Act (PIPEDA). In French, this is “Loi sur la protection des reseignements personnels et les documents électroniques, which entered into law on 13 April 2000. Not only was this act implemented for Canadian consumers to trust e-commerce, but it was also enacted to reassure the EU that Canadian privacy laws protect the personal information of their citizens.
If you are familiar with GDPR, a bit of the terminology may feel similar. But again, this predates GDPR, it is Canadian, and it is reviewed every five years, so do not expect it to be identical. Just like GDPR within PIPEDA, individuals have the right to access the data the organization has collected on them, and they can update their data to reflect more accurate information. However, noticeably not mentioned is the right to be forgotten.
PIPEDA is defined by ten principles:
An individual or team must be in place to hold responsibility for the privacy policies and procedures within the organization. It is vital they are provided with appropriate levels of authority in order to intervene on privacy concerns. Whilst it seems obvious that internally the name and/or title of the compliance person(s) is distributed, within PIPEDA this also must be done externally. This external notification carries over to the policies and practices for in-house and third-party processing.
TIP from the Privacy Toolkit: train your front-line and management staff and keep them informed so that they can answer the following questions.
- How do I respond to public inquiries regarding our organization’s privacy policies?
- What is consent? When and how is it obtained?
- How do I recognize and process requests for access to personal information?
- To whom should I refer complaints about privacy matters?
- What are the ongoing activities and new initiatives relating to the protection of personal information at our organization?
Additional tips: Consider having a FAQ-style support page available and up-to-date for all employees that identifies common questions and high priority issues such as when information is requested and how to properly respond in order to reduce the likelihood of a data breach.
- Identifying purpose
As it sounds, this is the ‘why’ on collecting personal information. Traditionally, organizations have been happy to collect massive amounts of data, often with improperly tagging and with a lack of immediate applicability for the information. Today, PIPEDA and many others restrict organizations to collect only information that is required to complete a transaction. Additionally, this processing must be transparent and defendable.
Data collection should occur only if the organization has a valid, reasonable expectation for personal information to be collected to complete a transaction and if the individual who agrees to this understands the nature, purpose, and consequence of the collection, including disclosure to third-parties. Organizations must be clear in what is required and provide meaningful information to the consumer prior to their approval. They should never seek to obtain consent via deceptive means or withhold services to individuals that do not consent (outside of actions that require information to complete).
- Limiting collection
As described in the previous principles, do not collect personal information without a legitimate processing requirement and do not mislead an individual on the reasons for collection.
Summarised TIP from the Privacy Toolkit: by following the principles within PIPEDA, you can:
- Lower the cost of collecting, storing, retaining, and ultimately archiving data.
- Reduce the risk of inappropriate uses and disclosures.
- Limiting use, disclosure, and retention
When documenting the requirements for the processing of personal information, include retention requirements. This retention policy must also adhere to expectations of a ‘reasonable person.’ Destruction of personal information, including hardware that this information is stored on, must follow best practice to reduce the likelihood of unauthorized disclosure.
Provide an honest representation of how personal information will be processed and put procedures in place to verify the collected information is complete, up-to-date, and accurate.
From the start, organizations need to prepare for personal information and protect against likely attacks, unauthorized access, loss, and maintaining integrity. Whilst PIPEDA doesn’t specify what controls are required, it does require adequate controls.
- Prior to release, organizations should have controls in place to protect personal information.
- They should also implement privacy program policies and procedures, effectively present those to consumers, train employees on those polices, and regularly review them to make sure they’re up to date.
When creating policies, procedures, and information packages for consumers on processing information, organizations should make these materials in such a way that they are clear, concise, and easily available.
- Individual access
Organizations need to realize that consumers are consenting to provide temporary access to their personal information. As such, the organization does not hold any ownership of said data, just temporary access. Therefore, it is reasonable to understand that consumers should have access to their information in order to understand what information is stored, to maintain accuracy, and to revoke consent, as required.
- Challenging compliance
Privacy management programs should be maintained, reviewed, and updated on a regular basis. When individuals request their personal information that’s being held, organizations should make sure their replies and responses adhere to the 30-day limit. Whilst there are exceptions to the 30-day limit for some situations, it’s best to use follow this approach in all situations. Therefore, organizations should educate staff, design environments, and put controls in place with this expectation in mind.
This is a perfect example of how to explain app permissions. 👏 @ObscuraApp pic.twitter.com/YADzKYKQ13
— Bryan (@bry_campbell) December 27, 2019
Above, Bryan shares an excellent example from Obscura on how to be clear, concise, and honest in stating the reasons for data access. Customers will appreciate this transparency, as the Office of the Privacy Commissioner of Canada notes on its website:
Your customers will appreciate doing business with an organization that shows a respect for their privacy rights. This appreciation can lead to a competitive advantage for your business. Organizations should see this as an opportunity to review and improve their personal information handling practices.
No amount of money, controls, or practices can prevent 100% of incidents. Therefore, organizations should design their solutions with an understanding of the risks and in an effort to defend against likely attacks, all while simultaneously empowering consumers to make educated decisions on if this service aligns with their needs. When an incident does occur, an organization can demonstrate they designed the solution to minimize the impact, to be transparent to the consumer, and to provide them with a stronger defense in the face of reputational damage and fees.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.