Between December 2022 and February 2023, TMX, a Canadian Financial Services company, and its affiliated entities, including TitleMax, TitleBucks, and InstaLoan, experienced a major data breach that affected a staggering 4.8 million customers. The breach exposed highly sensitive personal information, including passport numbers, social security numbers, tax identification numbers, and financial account numbers (to name a few).
This incident underscores the importance of organisations exercising utmost vigilance when collecting and storing such sensitive data.Unfortunately, it took the company two months to identify and notify its customers about the breach, highlighting the need to continuously monitor networks and systems within the country.
The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian law that governs how private-sector organisations collect, use, retain, and share personal information during commercial activities.
The TMX breach serves as a stark reminder of the critical need for organisations to prioritise the security and protection of sensitive data. In Canada, one of the key legislations governing the handling of personal information is the Personal Information Protection and Electronic Documents Act (PIPEDA). Let us delve a bit into PIPEDA.
What is PIPEDA?
The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian law that governs how private-sector organisations collect, use, retain, and share personal information during commercial activities. This law is designed to safeguard privacy and uphold the rights of individuals residing in Canada. PIPEDA applies specifically to personal information in the private sector, as well as electronic documents and evidence.
What is considered personal information under PIPEDA?
Under PIPEDA, Personal Information refers to data linked to a person who can be identified through the information provided. This encompasses a wide range of information, from basic details such as name and age to more sensitive information such as income, ID numbers, opinions, evaluations, social status, employee files, credit records, loan records, medical records, and more.
Who is responsible for ensuring an organisation’s compliance with the law?
The Privacy Commissioner of Canada’s office (OPC) ensures businesses comply with personal information handling practices by performing unbiased audits and investigations. Suppose an OPC receives a complaint regarding the violation of PIPEDA. In that case, they examine the organisation by reviewing personal information, conducting interviews with the associated parties, or collecting data. If the complaint is deemed valid, OPCs will suggest ways to address the issue and offer advice. The matter will be referred to the Federal Court of Canada in extreme cases.
Fair Information Principles
PIPEDA outlines ten fair information principles businesses should follow. Doing so can contribute to fostering trust in your industry.
To comply with PIPEDA, organisations must adhere to all ten principles listed. They are accountable for meeting privacy obligations and must assign individuals or departments to monitor privacy matters. All information, including data transferred to third parties, must be safeguarded, or the organisation will be held accountable.
Organisations must inform customers why they collect their information before or during collection. They should identify the purpose behind gathering information and keep a record of it. This will help the organisation determine the information required to achieve the intended goal. Depending on the data, customers can be informed verbally or in writing. In case of collecting new information, consent must be obtained again.
Before obtaining consent for collecting, using, or disclosing personal information, clearly explaining its legitimate purpose and potential consequences is essential. Organisations must be cautious in their approach and content creation for sensitive personal information. Individuals should also be allowed to opt out at any time and informed about the implications.
To ensure fairness, only gather the necessary information to fulfill the intended purpose. Obtain this information legally and through ethical means. This will prevent the organisation from misguiding individuals by obtaining irrelevant data under the guise of data collection.
Limiting use, disclosure, and retention
It’s essential only to use the collected information for its intended purpose. Whenever there is a new need for data usage, obtain consent. Have guidelines and procedures in place for retaining and disclosing information. And, once information is no longer necessary, make sure to remove it from the organisation’s database.
Organisations need to gather truthful, precise, and current information regarding individuals. Otherwise, inaccurate data may be shared with third-party entities.
Organisations must safeguard any personal information they gather by ensuring it is protected and secure from loss, theft, unauthorised access, disclosure, or misuse. The level of protection should correspond with the sensitivity of the information.
It’s essential to have clear privacy policies and procedures readily available to individuals so they understand the purpose behind information gathering. Make sure the guidelines clearly state the actual purpose.
People have the right to access their personal information whenever they want and are also allowed to delete, correct, or modify it. Organisations are required to comply with this rule. If someone asks for their personal information, the organisation must provide it at the earliest.
Suppose individuals believe an organisation is not adhering to the abovementioned principles. In that case, they have the right to dispute it by filing a complaint with the Office of the Privacy Commissioner of Canada. This process safeguards their privacy rights and ensures that organisations are held accountable for any potential non-compliance.
How to deliver effective PIPEDA awareness training for your employees?
Develop interactive learning modules:
Create informative and engaging content that covers all aspects of PIPEDA. Make the material easy to comprehend, incorporating relatable examples and scenarios. Keep the content up-to-date and include quizzes and assessments to reinforce learning.
Provide ongoing reinforcement
To ensure that key concepts are consistently understood and followed, it is recommended to provide regular training sessions and refreshers. This can be achieved through various forms of communication, such as newsletters, workshops, or other methods.
Track progress and evaluate effectiveness
To ensure a successful training program, it is important to monitor and track employees’ progress. Feedback should be collected, and the effectiveness of the training should be assessed through surveys or assessments. This information can then be used to make necessary improvements and adjustments.
Consider the delivery format
When selecting a delivery format for your organization’s training, it’s important to consider your employee preferences and your organisation’s specific needs. You can choose between bite-sized training modules that can be completed quickly or more comprehensive courses. Additionally, explore using a dedicated micro-learning app or e-learning platform to provide convenient access and interactive learning experiences.
Here is a recommended PDPA awareness training syllabus.
1. Overview of PIPEDA
- What is PIPEDA?
- Who must comply with the law?
- Organisational responsibilities
2. Understanding personal information
- What is Personal Information?
- What is considered Personal Information under PIPEDA?
- What is not covered by PIPEDA?
3. Overview of 10 Fair Information Principles
- Identifying Purposes
- Limiting Collection
- Limiting Use, Disclosure and Retention
- Individual Access
- Challenging Compliance
4. Legal Framework and Compliance
- PIPEDA and its Relationship with Other Privacy Laws
- Compliance Obligations and Requirements
- Consequences of Non-Compliance
5. Employee Roles and Responsibilities
- Individual Accountability for Data Protection
- Handling Personal Information Properly
- Reporting and Responding to Data Breaches
6. Customer Rights and Privacy Requests
- Accessing Personal Information
- Addressing Privacy Concerns and Requests
- Handling Privacy Complaints
7. Quiz and assessment
In conclusion, training employees on PIPEDA is crucial for organizations to ensure compliance, protect personal information, and uphold privacy rights. Organizations can achieve this by creating clear objectives, delivering interactive and informative learning modules, and continuously reinforcing knowledge. It is crucial to track progress and evaluate the effectiveness of the training program to improve constantly. Investing in comprehensive PIPEDA training can build customer trust, mitigate risks, and create a culture of privacy awareness. Ultimately, well-trained employees play a critical role in protecting personal information and upholding PIPEDA principles in today’s digital world.