Canada’s Privacy Reforms: 5 Must-Know Personal Information Requirements
Despite people’s modern habits of posting every moment of their lives online for all to see, there are still many things we would like to—must—keep private: financial and medical records, location data, and identity information to name a few. And yet we’ve been conditioned to accept the unrelenting distribution of that data around the world to destinations and for purposes unknown.
Privacy laws, on the other hand, seek to put structure around the secure and appropriate use of such information and hold accountable those who do not. If you own data, if you hold data, or even if you merely direct others to use data, then you are responsible for (the access to and disposition of) that data.
Here we will look at three such pieces of legislation and requirements for companies who do business in Canada, or who process information belonging to Canadian citizens: PIPEDA, CPPA, and Quebec Law 25.
Canada Privacy Law Developments
Starting in 2021, new regulations came into effect across Canada (e.g., Quebec Bill 64 and Digital Charter Implementation Act 2022), with most of the main provisions successively hitting the books each September; the final section lands September 2024 which includes points on data portability. These updates (i.e., “reforms”) reflect changes in the public’s expectations for how their information is used, shared, and stored.
Let’s start with a very high-level review of three important regulations on data privacy:
- The Personal Information Protection and Electronic Documents Act (PIPEDA)—originally enacted in April 2000 to safeguard personal information such as health (PHI) and financial, has been the cornerstone of privacy regulation in Canada for over twenty years. PIPEDA aimed to promote e-commerce by protecting personal information and “providing for the use of electronic means to communicate or record information or transactions.” In other words, the promises of the Internet also created significant risks, so legal intervention was needed to protect users and monitor / report leaks.
- The Consumer Privacy Protection Act (CPPA, which is Part 1 of the Digital Charter Implementation Act, 2022)—which will replace PIPEDA, updates many of the core tenets with more comprehensive guidelines, even stiffer penalties, and begins to address emerging technologies such as artificial intelligence (AI). These changes will bring PIPEDA in-line with many of the EU’s GDPR requirements, including cross-border transfers.
- The Quebec Act (Bill 64)—is also designed to modernize PIPEDA in that region, laying out updated prescriptive guidelines for privacy assessments, system reviews, breach reporting, and data handling (e.g., consent, the “right to be forgotten”, and anonymization / destruction to remove personal details). Similar to CPPA, Bill 64 mandates executive-level accountability for compliance and requirements around cross-border transfers.
5 Personal Information Requirements
Each legislative act consists of critical actions for businesses to take as part of their data security operations:
- Accountability (PIPEDA 4.1 – Principle 1) —an organization is responsible for personal information under its control. As above, this means empowering certain individuals to oversee appropriate day-to-day collection and processing of sensitive data. Your organization “shall implement policies and practices to give effect to the principles, including implementing procedures to protect personal information, responding to complaints, and training staff to “explain the organization’s policies and procedures.”
- Limiting Use, Disclosure, and Retention (PIPEDA 4.5 – Principle 5)—"personal information shall not be used or disclosed for purposes other than those for which it was collected, except” by consent or requirement. Such data shall be retained “only as long as necessary for the fulfillment of those purposes.” To meet this requirement, you must document guidelines and procedures on controls over retention periods and least-user-access (LUA).
- Safeguards (PIPEDA 4.7 – Principle 7)—enforcing data use guidelines is accomplished through “security safeguards appropriate to the sensitivity of the information.” Essentially, identifying and classifying data so that you can enact protection through access control and encryption based on “the amount, distribution, format of the information, and the method of storage.” The more sensitive the information, the stricter the controls such as “organizational measures [and] security clearances.” This includes appropriate (automated) data destruction and disposal.
- De-identification—Bill C-27 adds to PIPEDA “new requirements for using de-identified information and prohibitions on re-identification.” This is because even data that has been anonymized is still considered to be personal information, and is covered by the obligations of anyone storing or sharing said data with other parties or for other purposes.
- Privacy impact assessments (PIAs in Quebec Law 25)—are mandatory procedures to ensure that both the information and the systems for collecting it are regularly examined and meet requirements for confidentiality. A privacy assessment includes identifying risks, documenting / reporting breaches, and understanding any injury that could be caused by unlawful data use. The PIA helps prevent breaches by defining the “system to either destroy or anonymize personal information once the purpose for which it was collected has been achieved,” i.e. forgetting.
How Cyera Supports Compliance Efforts
Getting ready to comply with these updated privacy laws is no small task. Cyera gives you the foundation to effectively defend against breaches by providing holistic data discovery, context around current security controls, identifying users with data access, and data properties such as age, type, and retention metrics.
With Cyera, you can automatically build an inventory of sensitive data so you know what you have, where it is and associated risks. A data inventory is the start for ensuring accountability, appropriate use, applying safeguards, and driving PIAs, because you need to know what you have in order to protect it.
To help you further document your compliance, Cyera lets you audit security controls on sensitive data by revealing whether data is encrypted, tokenized, hashed, or in plaintext. You’ll be able to understand the users, roles, permissions, and usage intent to appropriately enforce least privilege access to data. And monitoring datastore access, logging, backups, and misconfigurations that could expose sensitive data ensures accountability for stewardship.
Overlooking vulnerabilities and overly permissive access that could lead to data loss, or keeping personal information beyond the necessary retention period, all pose risks to your organization. Cyera identifies users who have access to the data and reports on the purposes for that access. If your customer data is dated (beyond what is allowed by your retention policy) or is associated with a former employee, then Cyera identifies the presence of such data.
Cyera takes a data-centric approach to security, assessing the exposure to your data at rest and in use and applying multiple layers of defense. Because Cyera applies deep data context holistically across your data landscape, we are the only solution that can empower security teams to know where their data is, what exposes it to risk, and take immediate action to remediate exposures and assure compliance without disrupting the business.
See how Cyera can help you achieve your data privacy goals and enhance your cybersecurity awareness by scheduling a demo today.