AN INTRO TO Privacy Laws An introductory guide to Canadian Privacy Laws and how to be in compliance Laura Brown Air Interactive Media Senior DMS Advisor A Publication of 1
TABLE OF CONTENTS Introduction Chapter 1 Chapter 2 Chapter 3 Chapter 4 Privacy Act PIPEDA CASL Cloud Storage Conclusion 2
Introduction The recent legislation on preserving the security of Canadian Citizens places some restrictions on how businesses and government may collect and use electronic methods to communicate with the public and with their constituents. Although two pieces of legislation, The Privacy Act of 1983 and The Personal Information Protection and Electronic Documents Act of 2014, govern the collection and disclosure of personal information by the government and the private sector, a new anti-spam law is now in effect Canada s Anti-spam Law (CASL). The CASL specifically governs emails, text, and anything similar sent to electronic addresses. The following lists describe these laws as well as what a business may or may not do when in compliance with the new laws. Canada has two federal privacy laws, the Privacy Act, which covers the personal information-handling practices of federal government departments and agencies, and the Personal Information Protection and Electronic Documents Act (PIPEDA), the federal private-sector privacy law. With the addition of the Anti-spam Law (CASL), businesses have a legal obligation to review their digital processes to ensure that they are following the guidelines, protecting their data and protecting their customer and/or prospects information. An overview of the privacy laws and CASL suggests that you may have to have a privacy policy in place to be in compliance. Although the Canadian government has provided the resources necessary to do that, concerns remain about the handling of digital information and its protections in the cloud. Is the cloud safe for storing data? Of course the answer is both yes and no. So what must be done to gather customer information properly, use it for business purposes and protect the data from piracy? Here is what follows: The Privacy Act the law and how it affects Canadian businesses. The Personal Information And Protection Act the law and what businesses need to do. Canada s Anti-spam Law - the law and what businesses must do with electronic messaging. The Cloud is your internet storage of data secure? 3
CHAPTER 1 The Privacy Act 4
The Privacy Act The Privacy Act relates to an individual s right to access and correct personal information the Government of Canada holds about them or the Government s collection, use and disclosure of their personal information in the course of providing services (e.g., old age pensions or employment insurance). It should be noted that the Privacy Act does not apply to political parties and political representatives. For businesses the only affect is on the business employee as an individual. Information held by the government could adversely affect an individual s employment status. The law allows for the individual to see what information the government has. n 5
CHAPTER 2 The Personal Information Protection and Electronic Documents Act 6
PIPEDA The Personal Information Protection and Electronic Documents Act PIPEDA sets out the ground rules for how private-sector organizations collect, use or disclose personal information in the course of commercial activities across Canada. It also applies to personal information of employees of federally-regulated works, undertakings, or businesses (organizations that are federally-regulated, such as banks, airlines, and telecommunications companies). It should be noted that PIPEDA does not apply to organizations that are not engaged in commercial activity. As such, it does not generally apply to not-for-profit and charity groups, associations or political parties, for example unless the organization is conducting a commercial activity (fundraising is not considered a commercial activity). In addition, PIPEDA will not apply to an organization that operates wholly within a province that has legislation that has been deemed substantially similar to the PIPEDA, unless the personal information crosses provincial or national borders. Alberta, British Columbia and Quebec have general private-sector legislation that has been deemed substantially similar. 7
PIPEDA Therefore, PIPEDA generally applies to: Private-sector organizations carrying on business in Canada in the provinces or territories of Manitoba, New Brunswick, Newfoundland and Labrador, Northwest Territories, Nova Scotia, Nunavut, Ontario, Prince Edward Island, Saskatchewan, or Yukon but not their handling of employee information. Private-sector organizations carrying on business in Canada when the personal information they collect, use or disclose crosses provincial or national borders but not their handling of employee information. Federally-regulated organizations carrying on commercial activity in Canada, such as a bank, airline, telephone or broadcasting company, etc., including their handling of health information and employee information. The act basically provides these three things: 1. People can access personal information held by an organization. 2. People can provide error correction to personal information. 3. People can file a complaint if not satisfied. The Office of the Privacy Commissioner of Canada has established privacy principles to be in compliance with the legal guidelines on what a business must do when collecting, using, and disclosing a citizen s information. 8
Privacy Principles.Principle 1 Accountability An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization s compliance with the following principles. Principle 2 Identifying Purposes The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected. Principle 3 Consent The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Principle 4 Limiting Collection The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means. Principle 5 Limiting Use, Disclosure, and Retention Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes. Principle 6 Accuracy Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used. Principle 7 Safeguards Personal information shall be protected by security safeguards appropriate to the sensitivity of the information. Principle 8 Openness An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information. Principle 9 Individual Access Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate. Principle 10 Challenging Compliance An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization s compliance. 9
CHAPTER 3 Canada's Anti-spam Legislation (CASL) 10
CASL CASL is in place to protect Canadians while ensuring that businesses can continue to compete in the global marketplace. The laws definition list what you can and cannot do regarding commercial messages sent to electronic addresses. There are basically three things a sender must do to be in compliance when sending commercial emails identify yourself, have consent of recipient and an op-out provision. Proof is the responsibility of the sender. For a transition period, the law also allows for use of a current business mailing list for 36 months from July 2014, while consent is collected. It is your responsibility to understand and comply with the law. There are three general requirements for sending business electronic messages to an electronic address: 1, Consent can be either implied or expressed: express consent meaning it was given orally or in writing and does not expire until recipients unsubscribe. Express consent can also be obtained using opt-in check boxes for purchase or getting information. Implied consent means the recipient has done business with you or requested information in the past unless they have told you to stop. You have 36 months to obtain this recipient s consent. 2. Identification information must be in your message. 3. An unsubscribe mechanism must be in place for the recipient to opt-out of your messages. 11
What the New Law Means During the 36-month transition period, you can continue to use your current email list if you have previously provided your products or services to them, and they haven't told you to stop. It is not illegal to send commercial electronic messages, but you need consent. CASL applies to emails, text and instant messages, and any similar messages sent to electronic addresses (i.e. LinkedIn marketing). CASL does not apply to promotional information you post online in places like blogs or social media. Express consent received before July 1, 2014, is valid and does not expire until the recipient withdraws it. Businesses that already comply with privacy laws and use common best practices for email marketing will require little effort to comply with CASL. The 36 month transition provides time to adjust and seek express consent from pre-existing clients. 12
July 1, 2014 The Law Is In Effect Now The Privacy Act, PIPEDA, and CASL govern: What personal information can be collected from individuals (including customers, clients and employees); When consent is required to collect personal information and how consent is obtained; What notice must be provided before personal information is collected, and How personal information may be used or disclosed The purposes for which personal information may be collected, used or disclosed by the organization; How an individual may get access to and request correction of his or her personal information held by the organization. 13
CHAPTER 4 The Cloud and Privacy Laws 14
Privacy Is Your Responsibility Canadian privacy laws pertain to organizations using cloud services. It is the responsibility of the business to protect this information, so the choice of a cloud vendor that is also in compliance with privacy laws is vital. For example, The Personal Information Protection and Electronic Documents Act (PIPEDA) principle 4.1.3 states that an organization may engage third party vendors to process data on its behalf, but the organization will remain responsible for such personal information. With the advent of cloud computing and storage, Privacy Commissioners have stated some best practices for business: Restricting collection, use, and disclosure of information other than for purposes for which the third party is expressly retained. The vendor to maintain specific privacy, security and backup standards for the personal information that meet the organization's standards (or the organization to assess if the vendor's standards are adequate for its purposes). A right to audit the privacy and security practices of the cloud vendor. Notice, by the vendor, of any loss or unauthorized access to personal information. Access to personal information to the organization when required. Ownership of the personal information by the organization. Assistance provided to assist the organization in case of access requests, investigations, or correction requests. Prohibition on the assignment or subcontracting of the contract without the consent of the organization. Notice of any demand for access to or disclosure of personal information received by the vendor. Organizations that use cloud services must see if the particular service meets the organization's privacy compliance requirements. Is the vendor in a foreign country or does the cloud vendor reside in Canada? Canadian businesses may want to keep their data in Canada because of privacy and security concerns. Secure Canadian-based clouds can keep data entirely within Canadian borders. Canada s reputation as a peaceful nation makes it the perfect place for the world's data. 15
Data Is Where? Businesses need to be sure data doesn't t pass through any networks in another country, including the U.S., where it might be subject to unwarranted surveillance or seizure. A Canadian cloud that offers true data residency can t rely just on data centers sitting inside Canadian borders it must be connected by networks that are entirely within Canada. The disaster recovery zones where data is moved in the event of an outage must also be located in Canada. The three requirements for a secure Canadian cloud: physical storage of data in Canada; networks inside Canadian borders; and disaster recovery points local to Canada. There are 3 basic steps businesses can take to protect their information: 1. Information: customer and employee information must be protected and managed. Provisions must be in place to know what information is seen and by whom. 2. Understand the vendor organization: what is the process for protecting data? Is it in compliance with privacy laws? 3. Use certified cloud providers: Look for cloud providers who are independently certified as following best security practices. This provides customers with some assurance their cloud provider is doing what they can to protect against external attack or internal leaks. 16
Summary The new laws help protect the privacy of Canadians in this new digital world. The new laws also place the burden for compliance squarely on businesses which suggests a compliance strategy must be developed by businesses using electronic messaging. So unless the business is a hot dog stand, the law applies to almost all Canadian business. Here are some general points to include a privacy compliance strategy: Business is responsible for protecting personal information, identifying individuals responsible for oversight, and getting consent of individuals from whom the data is collected. Individuals have the right to know what businesses are doing about collecting and storing personal information and the right to access and change inaccurate information. Businesses must reveal they are the sender and have the consent of individuals receiving electronic massages. If the business does not have consent, there is a 36 month window to get it. Electronic messages must contain an op-out mechanism. Businesses using cloud services for data storage must ensure the cloud provider is following best practices as proscribed by the new laws. It is still the responsibility of the business to protect and preserve the data collected and stored 17 i
One Complete, Versatile and Easy-To-Use Out-Of-The-Box System! Still learning how these laws affect your business and the compliance policies required to do so? It is not an easy task for any Business especially when you consider that after these policies are in place how does one choose from the plethora of cloud storage offering. Additionally, how does your business plan to easily access and work with the information stored in the cloud? Often a Document Management or Collaboration Solution is required. Air Interactive Media powering AIM mview Suite, A Mobile Document Management & Collaboration Solution. Connect, Share, and Collaborate on any document, anytime, on any mobile or computing device. Let AIM mview Suite be your ANSWER and LEADER in compliancy concerns, cloud security, document sharing & collaboration. CALL Laura at (613) 507 VIEW (8439) Laura Brown, Senior Advisor Air Interactive Media Inc. laura@aimedia.ca A Publication of LOGO 18