AN INTRO TO. Privacy Laws. An introductory guide to Canadian Privacy Laws and how to be in compliance. Laura Brown

Similar documents
Privacy Law in Canada

National Association of Pharmacy Regulatory Authority s Privacy Policy for Pharmacists' Gateway Canada

Privacy Law in Canada

HEALTH INFORMATION ACT (HIA) BILL QUESTIONS AND ANSWERS

SCHEDULE A ACCREDITED INVESTOR STATUS CERTIFICATE

MULTILATERAL INSTRUMENT PROFICIENCY REQUIREMENTS FOR REGISTRANTS HOLDING THEMSELVES OUT AS PROVIDING FINANCIAL PLANNING AND SIMILAR ADVICE

Canadian Provincial and Territorial Early Hearing Detection and Intervention. (EHDI) Programs: PROGRESS REPORT

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:

NORTHWESTEL CODE OF FAIR INFORMATION PRACTICES. Effective January 1, 2001

Doing Business. A Practical Guide. casselsbrock.com. Canada. Dispute Resolution. Foreign Investment. Aboriginal. Securities and Corporate Finance

3. Consent for the Collection, Use or Disclosure of Personal Information

Health and Safety - Are you in danger? Health and Safety Awareness. Why is health and safety awareness important?

Your New Banking Rights. What you should know about access to basic banking services

Selected Annotated Bibliography Personal Health Information, Privacy and Access

We ask that you contact our Privacy Officer in the event you have any questions or concerns regarding this Code or its implementation.

Employment termination and group insurance coverage

Access to Basic Banking Services

Day-to-Day Banking. Opening a Personal Deposit Account or Cashing a Federal Government Cheque at Scotiabank. Cheque Holding Policy

Operating revenue for the accounting services industry totaled $15.0 billion, up 4.8% from 2011.

POLICE RECORD CHECKS IN EMPLOYMENT AND VOLUNTEERING

SCOTIA DEALER ADVANTAGE RETAIL FINANCING PROGRAM DEALER AGREEMENT

Income tax rates for Canadian-controlled private corporations (CCPCs)

Software Development and Computer Services

Crawford Chondon &Partners LLP. Is your Business Ready for Canada s Anti Spam Law?

Internet Connectivity Among Aboriginal Communities in Canada

4.0 Health Expenditure in the Provinces and Territories

The Manitoba Child Care Association PRIVACY POLICY

National Instrument The Early Warning System and Related Take-Over Bid and Insider Reporting Issues. Table of Contents

Index All entries in the index reference page numbers.

APPLICATION FOR INSURANCE

Privacy 101: A Guide to Privacy Legislation for Fundraising Professionals and Not-For-Profit Organizations in Canada (Version I)

Citation: TD Asset Management Inc. et al, 2005 ABASC 436 Date:

Bill C-27: First Nations Financial Transparency Act

CANADA SUMMER JOBS Creating Jobs, Strengthening Communities. Applicant Guide

Voluntary Scrapie Flock Certification Program Application for Advancement Requirements

PARTICIPATION AGREEMENT REGARDING THE IMPLEMENTATION OF A CANADA~WIDE INSURANCE OF PERSONS (LIFE AND HEALTH) QUALIFICATION PROGRAM

Protecting Yourself from Financial Abuse

A Privacy Handbook for Lawyers PIPEDA AND YOUR PRACTICE

Guideline 6A: Record Keeping and Client Identification for Life Insurance Companies, Brokers and Agents

Cloud Computing: Privacy and Other Risks

Consulting Services. Service bulletin. Highlights. Catalogue no X

Comments on Illegal Insider Trading in Canada: Recommendations on Prevention, Detection and Deterrence Report (the Insider Trading Report )

AND IN THE MATTER OF THE MUTUAL RELIANCE REVIEW SYSTEM FOR EXEMPTIVE RELIEF APPLICATIONS AND IN THE MATTER OF TD ASSET MANAGEMENT INC.

DISASTER RECOVERY INSTITUTE CANADA WEBSITE PRIVACY POLICY (DRIC) UPDATED APRIL 2004

Personal Information Protection Act ( PIPA ) Privacy-Proofing Your Retail Business Tips for Protecting Customers Personal Information 1

FREQUENTLY ASKED QUESTIONS MOBILITY

Instructions NDEB Equivalency Process

Workers' Compensation

Software Development and Computer Services

Taking care of what s important to you

Credentialling Application Process Guide

Additional Tables, Youth Smoking Survey

Canada-U.S. Estate Planning for the Cross-Border Executive

Best Practices Handbook

BRM Programs What to Expect for the 2013 Program Year

PERSONAL INFORMATION PRIVACY POLICY FOR EMPLOYEES AND VOLUNTEERS [ABC SCHOOL]

Managing the message Canada s new anti-spam law sets a high bar

Electronic Health Records

PROVINCIAL/TERRITORIAL COMPASSIONATE LEAVE LEGISLATION Provinces/Territories with Compassionate Care Leave Legislation

July 25, Dear Sirs/Mesdames:

University tuition fees, 2014/2015 Released at 8:30 a.m. Eastern time in The Daily, Thursday, September 11, 2014

PIPEDA and Online Backup White Paper

PROVINCIAL/TERRITORIAL COUNCIL Of MINISTERS OF SECURITIES REGULATION (Council) ANNUAL PROGRESS REPORT January 2013 to December 2013

West Nile virus National Surveillance Report English Edition September 8 to September 14, 2013 (Report Week 37)

INTERPROVINCIAL LOTTERY CORPORATION

Insights and Commentary from Dentons

Sage 50 Accounting (Release )

THE PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT (PIPEDA) PERSONAL INFORMATION POLICY & PROCEDURE HANDBOOK

Survey of Innovation and Business Strategy, 2012 Released at 8:30 a.m. Eastern time in The Daily, Monday, March 10, 2014

How To Ensure Health Information Is Protected

The HR Skinny: Effectively managing international employee data flows

Privacy Bulletin. Key Differences between US and Canadian Anti-Spam Laws

Control and sale of alcoholic beverages, for the year ending March 31, 2013 Released at 8:30 a.m. Eastern time in The Daily, Thursday, April 10, 2014

RISK RESPONSIBILITY REALITY APPENDIX D AUTOMOBILE INSURANCE IN CANADA

Investing and the Internet. Be Alert to Signs of Fraud

Atlantic Provinces 71 COMMUNITIES

Control and sale of alcoholic beverages, for the year ending March 31, 2012 Released at 8:30 a.m. Eastern time in The Daily, Thursday, April 11, 2013

INSURANCE BROKERS ASSOCIATION OF CANADA

CASL Canada s Anti-Spam Law. Webinar One - Consent

MAGAZINE Publisher s Statement 6 months ended June 30, 2015 Subject to Audit

INCORPORATING YOUR PROFESSIONAL PRACTICE

MAGAZINE Publisher s Statement Six months ended December 31, 2012 Subject to Audit

MAIL LABEL. Agent: XXXXX XXXXX. Policy Number:

Open Government and Information Management. Roy Wiseman Executive Director, MISA/ASIM Canada CIO (Retired), Region of Peel

Alcohol: A conversation. A comprehensive approach for schools. Social Studies Lesson 3 The intersection between personal and public decision-making

B2B Business Relations and Consent Requirements under the New Canadian Anti-Spam Law

Privacy Policy on the Collection, Use, Disclosure and Retention of Personal Health Information and De-Identified Data, 2010

Repair and Maintenance Services

The Use of Cloud Computing for the Storing and Accessing of Client Information: Some Practical and Ethical Considerations

Report of the CMEC Quality Assurance Subcommittee

APPLICATION FOR PROFESSIONAL AND COMMERCIAL GENERAL LIABILITY INSURANCE FOR MEMBERS OF THE CANADIAN ASSOCIATION OF OPTOMETRISTS

Best Practices in Data Management - A Guide for Marketers -

AN OVERVIEW OF CANADA S ANTI-SPAM LEGISLATION

Anti-Spam Toolkit February 2014

CANADIAN PAYMENTS ASSOCIATION ASSOCIATION CANADIENNE DES PAIEMENTS RULE G8

AGREEMENT IN PRINCIPLE Labour Mobility Chapter of the Agreement on Internal Trade/Teaching Profession

Please note that this paper is a legislative review only and does not account for interpretations of the law by the courts.

Certificate of Insurance Creditor Insurance for CIBC Personal Lines of Credit. Note: This is an important document. Please keep it in a safe place.

OHA BACKGROUNDER Canada s Anti-Spam Legislation (CASL)

Transcription:

AN INTRO TO Privacy Laws An introductory guide to Canadian Privacy Laws and how to be in compliance Laura Brown Air Interactive Media Senior DMS Advisor A Publication of 1

TABLE OF CONTENTS Introduction Chapter 1 Chapter 2 Chapter 3 Chapter 4 Privacy Act PIPEDA CASL Cloud Storage Conclusion 2

Introduction The recent legislation on preserving the security of Canadian Citizens places some restrictions on how businesses and government may collect and use electronic methods to communicate with the public and with their constituents. Although two pieces of legislation, The Privacy Act of 1983 and The Personal Information Protection and Electronic Documents Act of 2014, govern the collection and disclosure of personal information by the government and the private sector, a new anti-spam law is now in effect Canada s Anti-spam Law (CASL). The CASL specifically governs emails, text, and anything similar sent to electronic addresses. The following lists describe these laws as well as what a business may or may not do when in compliance with the new laws. Canada has two federal privacy laws, the Privacy Act, which covers the personal information-handling practices of federal government departments and agencies, and the Personal Information Protection and Electronic Documents Act (PIPEDA), the federal private-sector privacy law. With the addition of the Anti-spam Law (CASL), businesses have a legal obligation to review their digital processes to ensure that they are following the guidelines, protecting their data and protecting their customer and/or prospects information. An overview of the privacy laws and CASL suggests that you may have to have a privacy policy in place to be in compliance. Although the Canadian government has provided the resources necessary to do that, concerns remain about the handling of digital information and its protections in the cloud. Is the cloud safe for storing data? Of course the answer is both yes and no. So what must be done to gather customer information properly, use it for business purposes and protect the data from piracy? Here is what follows: The Privacy Act the law and how it affects Canadian businesses. The Personal Information And Protection Act the law and what businesses need to do. Canada s Anti-spam Law - the law and what businesses must do with electronic messaging. The Cloud is your internet storage of data secure? 3

CHAPTER 1 The Privacy Act 4

The Privacy Act The Privacy Act relates to an individual s right to access and correct personal information the Government of Canada holds about them or the Government s collection, use and disclosure of their personal information in the course of providing services (e.g., old age pensions or employment insurance). It should be noted that the Privacy Act does not apply to political parties and political representatives. For businesses the only affect is on the business employee as an individual. Information held by the government could adversely affect an individual s employment status. The law allows for the individual to see what information the government has. n 5

CHAPTER 2 The Personal Information Protection and Electronic Documents Act 6

PIPEDA The Personal Information Protection and Electronic Documents Act PIPEDA sets out the ground rules for how private-sector organizations collect, use or disclose personal information in the course of commercial activities across Canada. It also applies to personal information of employees of federally-regulated works, undertakings, or businesses (organizations that are federally-regulated, such as banks, airlines, and telecommunications companies). It should be noted that PIPEDA does not apply to organizations that are not engaged in commercial activity. As such, it does not generally apply to not-for-profit and charity groups, associations or political parties, for example unless the organization is conducting a commercial activity (fundraising is not considered a commercial activity). In addition, PIPEDA will not apply to an organization that operates wholly within a province that has legislation that has been deemed substantially similar to the PIPEDA, unless the personal information crosses provincial or national borders. Alberta, British Columbia and Quebec have general private-sector legislation that has been deemed substantially similar. 7

PIPEDA Therefore, PIPEDA generally applies to: Private-sector organizations carrying on business in Canada in the provinces or territories of Manitoba, New Brunswick, Newfoundland and Labrador, Northwest Territories, Nova Scotia, Nunavut, Ontario, Prince Edward Island, Saskatchewan, or Yukon but not their handling of employee information. Private-sector organizations carrying on business in Canada when the personal information they collect, use or disclose crosses provincial or national borders but not their handling of employee information. Federally-regulated organizations carrying on commercial activity in Canada, such as a bank, airline, telephone or broadcasting company, etc., including their handling of health information and employee information. The act basically provides these three things: 1. People can access personal information held by an organization. 2. People can provide error correction to personal information. 3. People can file a complaint if not satisfied. The Office of the Privacy Commissioner of Canada has established privacy principles to be in compliance with the legal guidelines on what a business must do when collecting, using, and disclosing a citizen s information. 8

Privacy Principles.Principle 1 Accountability An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization s compliance with the following principles. Principle 2 Identifying Purposes The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected. Principle 3 Consent The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Principle 4 Limiting Collection The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means. Principle 5 Limiting Use, Disclosure, and Retention Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes. Principle 6 Accuracy Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used. Principle 7 Safeguards Personal information shall be protected by security safeguards appropriate to the sensitivity of the information. Principle 8 Openness An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information. Principle 9 Individual Access Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate. Principle 10 Challenging Compliance An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization s compliance. 9

CHAPTER 3 Canada's Anti-spam Legislation (CASL) 10

CASL CASL is in place to protect Canadians while ensuring that businesses can continue to compete in the global marketplace. The laws definition list what you can and cannot do regarding commercial messages sent to electronic addresses. There are basically three things a sender must do to be in compliance when sending commercial emails identify yourself, have consent of recipient and an op-out provision. Proof is the responsibility of the sender. For a transition period, the law also allows for use of a current business mailing list for 36 months from July 2014, while consent is collected. It is your responsibility to understand and comply with the law. There are three general requirements for sending business electronic messages to an electronic address: 1, Consent can be either implied or expressed: express consent meaning it was given orally or in writing and does not expire until recipients unsubscribe. Express consent can also be obtained using opt-in check boxes for purchase or getting information. Implied consent means the recipient has done business with you or requested information in the past unless they have told you to stop. You have 36 months to obtain this recipient s consent. 2. Identification information must be in your message. 3. An unsubscribe mechanism must be in place for the recipient to opt-out of your messages. 11

What the New Law Means During the 36-month transition period, you can continue to use your current email list if you have previously provided your products or services to them, and they haven't told you to stop. It is not illegal to send commercial electronic messages, but you need consent. CASL applies to emails, text and instant messages, and any similar messages sent to electronic addresses (i.e. LinkedIn marketing). CASL does not apply to promotional information you post online in places like blogs or social media. Express consent received before July 1, 2014, is valid and does not expire until the recipient withdraws it. Businesses that already comply with privacy laws and use common best practices for email marketing will require little effort to comply with CASL. The 36 month transition provides time to adjust and seek express consent from pre-existing clients. 12

July 1, 2014 The Law Is In Effect Now The Privacy Act, PIPEDA, and CASL govern: What personal information can be collected from individuals (including customers, clients and employees); When consent is required to collect personal information and how consent is obtained; What notice must be provided before personal information is collected, and How personal information may be used or disclosed The purposes for which personal information may be collected, used or disclosed by the organization; How an individual may get access to and request correction of his or her personal information held by the organization. 13

CHAPTER 4 The Cloud and Privacy Laws 14

Privacy Is Your Responsibility Canadian privacy laws pertain to organizations using cloud services. It is the responsibility of the business to protect this information, so the choice of a cloud vendor that is also in compliance with privacy laws is vital. For example, The Personal Information Protection and Electronic Documents Act (PIPEDA) principle 4.1.3 states that an organization may engage third party vendors to process data on its behalf, but the organization will remain responsible for such personal information. With the advent of cloud computing and storage, Privacy Commissioners have stated some best practices for business: Restricting collection, use, and disclosure of information other than for purposes for which the third party is expressly retained. The vendor to maintain specific privacy, security and backup standards for the personal information that meet the organization's standards (or the organization to assess if the vendor's standards are adequate for its purposes). A right to audit the privacy and security practices of the cloud vendor. Notice, by the vendor, of any loss or unauthorized access to personal information. Access to personal information to the organization when required. Ownership of the personal information by the organization. Assistance provided to assist the organization in case of access requests, investigations, or correction requests. Prohibition on the assignment or subcontracting of the contract without the consent of the organization. Notice of any demand for access to or disclosure of personal information received by the vendor. Organizations that use cloud services must see if the particular service meets the organization's privacy compliance requirements. Is the vendor in a foreign country or does the cloud vendor reside in Canada? Canadian businesses may want to keep their data in Canada because of privacy and security concerns. Secure Canadian-based clouds can keep data entirely within Canadian borders. Canada s reputation as a peaceful nation makes it the perfect place for the world's data. 15

Data Is Where? Businesses need to be sure data doesn't t pass through any networks in another country, including the U.S., where it might be subject to unwarranted surveillance or seizure. A Canadian cloud that offers true data residency can t rely just on data centers sitting inside Canadian borders it must be connected by networks that are entirely within Canada. The disaster recovery zones where data is moved in the event of an outage must also be located in Canada. The three requirements for a secure Canadian cloud: physical storage of data in Canada; networks inside Canadian borders; and disaster recovery points local to Canada. There are 3 basic steps businesses can take to protect their information: 1. Information: customer and employee information must be protected and managed. Provisions must be in place to know what information is seen and by whom. 2. Understand the vendor organization: what is the process for protecting data? Is it in compliance with privacy laws? 3. Use certified cloud providers: Look for cloud providers who are independently certified as following best security practices. This provides customers with some assurance their cloud provider is doing what they can to protect against external attack or internal leaks. 16

Summary The new laws help protect the privacy of Canadians in this new digital world. The new laws also place the burden for compliance squarely on businesses which suggests a compliance strategy must be developed by businesses using electronic messaging. So unless the business is a hot dog stand, the law applies to almost all Canadian business. Here are some general points to include a privacy compliance strategy: Business is responsible for protecting personal information, identifying individuals responsible for oversight, and getting consent of individuals from whom the data is collected. Individuals have the right to know what businesses are doing about collecting and storing personal information and the right to access and change inaccurate information. Businesses must reveal they are the sender and have the consent of individuals receiving electronic massages. If the business does not have consent, there is a 36 month window to get it. Electronic messages must contain an op-out mechanism. Businesses using cloud services for data storage must ensure the cloud provider is following best practices as proscribed by the new laws. It is still the responsibility of the business to protect and preserve the data collected and stored 17 i

One Complete, Versatile and Easy-To-Use Out-Of-The-Box System! Still learning how these laws affect your business and the compliance policies required to do so? It is not an easy task for any Business especially when you consider that after these policies are in place how does one choose from the plethora of cloud storage offering. Additionally, how does your business plan to easily access and work with the information stored in the cloud? Often a Document Management or Collaboration Solution is required. Air Interactive Media powering AIM mview Suite, A Mobile Document Management & Collaboration Solution. Connect, Share, and Collaborate on any document, anytime, on any mobile or computing device. Let AIM mview Suite be your ANSWER and LEADER in compliancy concerns, cloud security, document sharing & collaboration. CALL Laura at (613) 507 VIEW (8439) Laura Brown, Senior Advisor Air Interactive Media Inc. laura@aimedia.ca A Publication of LOGO 18

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information