During August and September, the Office of the Privacy Commissioner of Canada released some important information for organizations in respect of privacy responsibilities and how to meet them. More specifically, it has published a new privacy guide for businesses, resources to help businesses protect personal information and address breaches and helpful guidance for manufacturers of Internet of Things devices. Each of these documents are briefly discussed below.
The Office of the Privacy Commissioner of Canada has released the following guidance for organizations:
1. Privacy guide for businesses
On August 13, 2020, the Office of the Privacy Commissioner of Canada published this guide in order to summarize the Personal Information Protection and Electronic Documents Act (PIPEDA) and explain how it applies. The guide discusses important topics such as: PIPEDA and how it applies; the fair information principles found in Schedule 1 of PIPEDA, how to meet those responsibilities and some practical tips that can help organizations; dealing with a breach; the complaints process when making a complaint to the Privacy Commissioner; applying for a hearing to the Federal Court; anti-spam legislation and PIPEDA; and the Office of the Privacy Commissioner’s advisory services for businesses where businesses can receive assistance and advice on the privacy impacts of new programs and general privacy management tips.
2. Report on 2019 breach record inspections and a breach video series for businesses
On September 15, 2020, the Office of the Privacy Commissioner of Canada released information on recent inspections it conducted regarding the review of breach reports of seven telecommunications companies in Canada. One major finding is that it is necessary for organizations to have a better understanding of how to assess whether a breach has led to a real risk of significant harm. This is vital information for knowing when and how to report and notify during a breach (as can be seen here), and therefore, tips, suggested best practices and examples have been provided to address this issue. For instance, examples touch on employee snooping, misdirected correspondence, lost laptops and SIM card swaps. It was also found that only one of the companies had a strategy and processes in place to deal with retention of breach records. In fact, 40 percent of records inspected did not contain sufficient information for the Office of the Privacy Commissioner of Canada to understand the organization’s assessment of the real risk of significant harm. Thus, there has been an explanation of obligations to keep breach records. The Office of the Privacy Commissioner of Canada points out the need for organizations to be prepared to report and manage privacy breaches by establishing a breach management and record-keeping system that enables compliance with PIPEDA. In addition, it has released a breach video series for businesses containing the following topics: introduction to breach reporting; assessing the risks of significant harm; business obligations for reporting breaches; how to submit a breach report; when and how to notify people and organizations; and keeping the necessary records.
3. Privacy guidance for manufacturers of Internet of Things devices
On August 20, 2020, the Office of the Privacy Commissioner of Canada published guidance for manufacturers of Internet of Things devices to help them develop smart devices that comply with privacy requirements, and also for individual Canadians to help them protect their personal information while using smart devices. Focusing on manufacturers, this guidance helps manufacturers who produce, design or ensure legal compliance for devices with embedded sensors that collect personal information such as lights, doorbells, locks, smoke detectors, alarms, TVs, cameras, speakers, appliances, toys, clothing, watches or health trackers, to name a few. The guide explains application of PIPEDA, sets out important fair information principles found in Schedule 1 of PIPEDA and how to apply them, and provides a handy checklist of privacy requirements along with things that should be done to supplement these responsibilities.
What does this mean for organizations?
In light of this recent instructive guidance provided by the Office of the Privacy Commissioner, it is recommended that organizations take a look at these documents and videos in order to ensure that they are doing what they can to remain in compliance with their privacy obligations. This may involve organizations examining the information and reviewing their existing company policies and procedures to confirm that they are meeting their responsibilities. It may also involve noticing any gaps and filling them by creating new and updated policies and procedures that tackle the issues.