The Ontario Broker - June 2018 - 24

THERE ARE NO STUPID
QUESTIONS ABOUT PIPEDA
JEFF TOTH, MARKETING & COMMUNICATIONS COORDINATOR, IBAO

WHAT IS PIPEDA AND WHY SHOULD I GIVE
A RIP-EDA?
The Personal Information Protection and
Electronic Documents Act (PIPEDA) ensures that
organizations consent before collecting, using or
sharing personal information. If that sounds too
boring to learn about, you might not have to worry
- it only affects every single organization with
personal information.
Personal information includes identifying
information like your age, name, ID numbers,
income, ethnicity or blood type. Official documents
such as credit records, loan records and medical
records are covered, but so are your opinions,
comments and social status. Basically if it's the
kind of information you'd share in a job interview, a
doctor's office, a bank or on a first date, it's probably
personal information.
BUT DON'T PEOPLE STILL HAVE THEIR DATA
STOLEN ALL THE TIME?
Yes! PIPEDA was passed way back in 2000 and
it was getting a little long in the tooth. So in 2015,
Parliament passed the Digital Privacy Act (the "DPA")
to update and strengthen PIPEDA, specifically as it
relates to notice and record keeping requirements for
data breaches and consent. The DPA comes into full
effect on a day that I usually need additional privacy,
November 1st, a.k.a. Discount Candy Day.
Going forward, organizations will be required to
keep and maintain a record of every data breach,
regardless of its size or impact. In the event of
a breach, if there's a risk of significant harm to
individuals, the organization will be required to
report the breach to the individuals affected, as well
as the federal Office of the Privacy Commissioner of
Canada or, as I personally refer to them, "FOPCOC."
Additionally, if it could prevent further harm, the
organization may be required to contact authorities.

JUNE 2018

I'M NOT FAMILIAR WITH THIS CONCEPT
OF HARM - IS THERE A LENGTHY LEGAL
DEFINITION I CAN READ?

DO PEOPLE EVEN KNOW THIS STUFF
CAN HAPPEN WHEN THEY SHARE THEIR
PERSONAL INFORMATION?

Boy, is there ever! It includes, but is not limited to,
"bodily harm, humiliation, damage to reputation
or relationships, loss of employment, business or
professional opportunities, financial loss, identity
theft, negative effects on the credit record and
damage to or loss of property."

A lot of them don't! And to try to improve that
situation, the DPA includes new language that
updates what constitutes valid consent. People
can only consent to having their personal
information used if it can be reasonably expected
that they understood what exactly they consented
to, as well as the consequences of that consent.
These are important changes especially in light
of the recent scandal involving companies who
shall not be named - but their names rhyme with
'placebook' and 'plambridge-planalytica.'

The DPA also clarifies how to assess if the breach
creates a risk of significant harm when determining
whether it's a reportable breach. Ask yourself: How
sensitive was the information involved in the breach?
And: Is the information likely to be misused? If while
considering either of those questions you cringed a
little, there could be a risk of harm. There's actually
a bit of ambiguity around the area of risk assessment,
so it's better to err on the side of caution to make sure
your organization is compliant.
WHEN NOTIFYING INDIVIDUALS THAT
THEIR DATA HAS BEEN BREACHED, CAN I
USE THE PHRASE "WHOOPSIE DAISY?"
You probably shouldn't, but the regulations don't
specifically prohibit it. What you do need to
include is details on when the breach happened,
what information was affected, who to contact for
more information and on the individual's right to
file a complaint. You also need to tell them what
they can do to protect themselves from further
harm, for example, changing their password,
hopefully to something better than 12345 or the
word password.
Those affected can be contacted directly by phone
or email, or through a public announcement, for
example, on the organization's website or by hiring a
skywriter. The notifications must be sent out as soon
as possible, including the notification to "FOPCOC."

24

IF THIS WAS PASSED IN 2015, WHY IS IT ONLY
COMING INTO EFFECT IN NOVEMBER?
Much of the DPA came into effect in 2015, but
the final version of the regulations on record
keeping and notifications were published in
April. The time between then and this November
is a grace period, allowing organizations to
implement breach reporting processes and to
become compliant. So, if you are one of those
unique individuals who happens to work at an
organization, it's something you might want to
start thinking about. The IBAO has updated
documentation and templates, available on our
website, to help you make sure you're prepared
for Discount Candy Day.
Subject matter expertise provided by our Affinity
Partner, Cassels Brock & Blackwell LLP. If you have
questions or concerns related to PIPEDA or other
legal matters, IBAO members are entitled to one
free phone consultation with a lawyer at Cassels
Brock & Blackwell LLP each year, subject to certain
limitations. For more information, please contact
Brian Reeve.

WWW.IBAO.ORG
http://WWW.IBAO.ORG
Table of Contents for the Digital Edition of The Ontario Broker - June 2018
