If you have undertaken the Compliance Questionnaire, you may be wondering what further steps you can undertake to ensure your compliance and improve your cyber resilience.
One of Canada’s privacy laws, the Personal Information Protection and Electronic Documents Act (‘PIPEDA’) applies if your business is based in Canada, or collect personal information or data from Canadian visitors.
Personal information under PIPEDA includes:
- Social status
- Disciplinary actions
- Employee files
- Credit records
- Loan records
- Medical records
How can your business comply with PIPEDA?
- Inform the consumers the type of data being collected
- Notify the consumers the purpose of data collection and actually limit such data processing for that purpose
- Obtain consent from users before or prior to their data being collected
- Retain consumer data for a ‘reasonable time’ and delete it as soon as you no longer need it for the purpose as consented
- Protect or safeguard the data
- Allow consumers to request their data and information the data gathered (including whether such data has been shared)
The above is a summary based on PIPEDA’s “10 fair information principles” in regulating how your business can collect, use and process personal information.
Under the PIPEDA, your business will also adhere to the mandatory reporting should a breach occur. Failure to comply with the reporting, notifying and record-keeping requirements will attract fines of up to $100.000 for every time an individual is affected by a security breach.