law books with scales.
law books with scales.

What you need to know about the Digital Privacy Act

On June 18 of this year, the Digital Privacy Act (known as Bill S-4) reformed the Personal Information Protection and Electronic Documents Act (PIPEDA). There are some implications that businesses need to be aware of such as: fines & penalties associated with a reporting a breach, the need to inform clients, proper record keeping requirements, and change to consent.

Fines & Penalties

Organizations are now obligated to record and report any breaches of their security safeguards. They also can’t obstruct an investigation or audit into a breach, or they will be liable for fines up to $100,000 for an indictable offence, or a fine of up to $10,000 for offences punishable on summary conviction.

Notifying clients in the event of a breach

Organizations are also required to notify individuals that are affected by the breach if it could cause harm to the individual. Harm is broadly defined as anything that includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identify theft, negative effects on the credit record, and damage to or loss of property. The organization also has to notify the Office of the Privacy Commissioner of Canada.

Breach Record Keeping Requirements

Organizations are required to keep record of every breach of security that involves personal information under control. These records must be provided to the Privacy Commissioner when requested. There are currently no details on how long the records need to be retained, how the records must be designed and maintained, and the level of detail required in the report. It is a good idea for organizations to keep a record of a breach no matter how trivial or inconsequential they may seem.

Obtaining valid consent from customers, clients or users when obtaining their data or personal information, has also changed under this new bill. While organizations were always required to obtain consent, the new legislation emphasizes the need for the user to understand the nature, purpose and consequence of the data collection. Privacy policies should be written in clear and simple language to ensure that consent is valid.

Next steps for businesses

Businesses that handle or collect personal information should:

  • Review privacy policies and security safeguards to ensure compliance.
  • Board of Directors should review their risk management and allocation of risk surrounding the new monetary penalties.
  • Review or develop new response plans and continuity plans that comply with the new reporting and notification requirements.

Remember, being proactive now will save time and money in the future.

This blog is provided for information only and is not a substitute for professional advice. We make no representations or warranties regarding the accuracy or completeness of the information and will not be responsible for any loss arising out of reliance on the information.

Related Topics

Get a quote
Close

    Contact Us

      Contact Us