The Office of the Privacy Commissioner of Canada has published various online resources for both individuals and businesses to help better understand their obligations under the Personal Information Protection and Electronic Document Act (“PIPEDA”).[i]
Here are 3 tips on how small businesses can stay compliant under PIPEDA:
- Appoint an internal Privacy Officer: Appoint someone within the business to help facilitate ongoing compliance. Appointing an individual not only signals that you are holding someone accountable for this initiative – but it also helps ensure that personal information collecting practices are done under the Privacy Commissioner of Canada’s recommended guidelines and that the business remains compliant.
- Training modules for PIPEDA guidelines: In Schedule 1 of Act 1 – organizations are expected to follow a code for the protection of personal information which was developed in conjunction with the Canadian Standards Association. The 10 principles include things like accountability, identifying purposes, consent, limiting collection, limiting use, accuracy, safeguards, openness, individual access and challenging compliance.[ii] Training your employees on these guidelines can help ensure there is an understanding by all staff on PIPEDA matters.
- Audit of Information Collecting Practices: Having an internal audit either on a quarterly basis, bi-annual basis or annual basis demonstrates a businesses’ desire to place privacy information collection practices as a priority. Having these audits can also ensure that your business remains compliant under federal privacy laws. Along with helping to prevent privacy breaches, being able to provide evidence of a consistent privacy plan could also mitigate the amount of any fine or damages which could be made against the company.
Taking steps to ensure your business remains compliant under federal privacy laws will require time and commitment from your organization. It also just makes good business sense, as your customers place a high value on you taking all steps possible to keep their data safe.
In the event of an investigation, there are three stages by which PIPEDA is enforced. Once an investigation begins, either initiated by an individual complaint or an issue that was identified by the Office of the Privacy Commissioner of Canada (OPC), it moves into the ‘Intake’ stage. During this stage, the unit reviews complaints and gathers additional information to move into the ‘Investigation’ stage. Once the complaint is accepted, the investigation commences. If the complaint cannot be easily resolved, a formal investigation will be required. The complaint may then move through the ‘Further Enforcement Tools’ stage. iii
Following the completion of the Privacy Commissioner’s investigation, a business can then face civil action for damages from the individuals who were affected by the breach.
DAS covers legal expenses for the business owner if civil action is brought against them as a result of a privacy breach. We also highly recommend business owners use the numerous resources, published by the Office of the Privacy Commissioner of Canada that will help ensure they remain compliant. For more information visit: https://www.priv.gc.ca/en
Office of the Privacy Commissioner of Canada, 2018. PIPEDA Compliance Help.
Retrieved from: https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda-compliance-help/