Canada Data Privacy Laws
Privacy Legislation in Canada
Canada has two federal privacy laws, the Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA).
The Privacy Act took effect on July 1, 1983. This Act imposes obligations on some 250 federal government departments and agencies to respect privacy rights by limiting the collection, use and disclosure of personal information. The Privacy Act gives individuals the right to access and request correction of personal information about themselves held by these federal government organizations.
Individuals are also protected by PIPEDA that sets out ground rules for how private sector organizations may collect, use or disclose personal information in the course of commercial activities. The law gives individuals the right to access and request correction of the personal information these organizations may have collected about them.
Initially, PIPEDA applied only to personal information about customers or employees that was collected, used or disclosed in the course of commercial activities by the federally regulated private sector, organizations such as banks, airlines, and telecommunications companies. The Act now applies to personal information collected, used or disclosed by the retail sector, publishing companies, the service industry, manufacturers and other provincially regulated organizations. The Act does not apply to the personal information of employees of these provincially regulated organizations.
On June 18, 2015, the Canadian Parliament passed the Digital Privacy Act (DPA), Senate Bill S-4, into law. The DPA amends PIPEDA, including introducing a new data breach notification requirement, which come into force on dates to be fixed by order of the Governor in Council. This Federal legislation applies to commercial activities except where provinces (such as British Columbia, Alberta and Quebec) have implemented their own private sector privacy legislation. For additional details click here to see the Federal Privacy Commissioner website.
Highlights of the new legislation include:
New consent standard & exceptions
Mandatory data breach notification requirement
Enhanced Canadian Privacy Commissioner Powers
The federal government may exempt organizations or activities in provinces that have their own privacy laws if they are substantially similar to the federal law. PIPEDA will continue to apply in those provinces to the federally regulated private sector and to personal information in inter-provincial and international transactions by all organizations engaged in commercial activities.
Oversight of both federal Acts rests with the Privacy Commissioner of Canada who is authorized to receive and investigate complaints.
Provincial and Territorial Laws
Every province and territory has privacy legislation governing the collection, use and disclosure of personal information held by government agencies. These acts provide individuals with a general right to access and correct their personal information.
Oversight is through either an independent commissioner or ombudsman authorized to receive and investigate complaints.
How privacy is protected in the private sector
PIPEDA applies to all organizations engaged in commercial activities unless the federal government exempts an organization or activity in a province that has substantially similar legislation to the Act.
British Columbia, Alberta and Quebec are the only provinces with laws recognized as substantially similar to PIPEDA. These laws regulate the collection, use and disclosure of personal information by businesses and other organizations and provide individuals with a general right of access to, and correction of, their personal information. Ontario, New Brunswick, and Newfoundland and Labrador meanwhile, have adopted privacy legislation to protect personal health information which has been recognized as substantially similar.
PIPEDA does not prevent an organization from transferring personal information to an organization in another jurisdiction for processing. However, PIPEDA establishes rules governing those transfers — particularly with respect to obtaining consent for the collection, use and disclosure of personal information, securing the data, and ensuring accountability for the information and transparency in terms of practices. These considerations apply whether moving data in the cloud or otherwise. It is important to note that many non-Canadian based cloud providers may also be subject to PIPEDA. To the extent that a cloud provider has a real and substantial connection to Canada, and collects, uses or discloses personal information in the course of a commercial activity, the provider is expected to protect personal information, in keeping with PIPEDA.
Sector-Specific Legislation Dealing with Privacy
Several provinces have passed legislation to deal specifically with the collection, use and disclosure of personal health information by health care providers and other health care organizations.
Several federal and provincial sector specific laws include provisions dealing with the protection of personal information. The federal Bank Act, for example, contains provisions regulating the use and disclosure of personal financial information by federally regulated financial institutions. Most provinces have legislation dealing with consumer credit reporting. These acts typically impose an obligation on credit reporting agencies to ensure the accuracy of the information, place limits on the disclosure of the information and give consumers the right to have access to, and challenge the accuracy of, the information. Provincial laws governing credit unions typically have provisions dealing with the confidentiality of information relating to members’ transactions. There are a large number of provincial acts that contain confidentiality provisions concerning personal information collected by professionals.
Satisfying Canadian Data Privacy Requirements via a Cloud Data Protection Platform
The Blue Coat Cloud Data Protection Gateway lets Canadian enterprises define their data protection policies to ensure that sensitive data is appropriately secured and protected in cloud applications. Authorized data security administrators can select, on a field-by-field basis, whether to allow a data going to the cloud to remain in clear text, to be encrypted, or to be replaced with a token. When using tokens as a surrogate value, sensitive data never leaves the organization’s control in any format – making it particularly useful for organizations that need to adhere with Canadian Privacy Laws.
The data in the cloud is either tokenized or encrypted so it is meaningless when viewed in the cloud, and organizations can be confident that their sensitive data is within their full control at all times.