There is a tangled web of legislation and acts governing personal information in Canada and how it may affect your website, database or web hosting.
Data protection at the federal and provincial levels, as well as sector-specific statutes like health privacy laws and related statutes like anti-spam and consumer protection statutes. Some of these mandate that victims of data breaches be informed and that the breach be reported. Today we look to cover the essential rules which you may need to comply with.
If your website provides an overview of services; you send out no email marketing; you store no personal data - then you are probably not bound to follow any of the below.
Within this article we will cover:
In a nutshell CASL has been enacted to prevent spam. It gives the recipient a clear path to unsubscribe and looks to prohibit unwanted solicitation.
Organizations are barred from the following activities under CASL:
Individuals can be fined up to $1 million and businesses up to $10 million for the most serious CASL violations.
To comply with PIPEDA, organizations must usually get a person's permission before they collect, use, or share their personal information. People who shared their data have the right to see what information an organization has about them and challenge its accuracy.
Personal information can only be used for the reasons it was gathered in the first place. If an organization wants to use it for something else, they need to get permission again.
Companies operating in Canada under federal jurisdiction are always subject to PIPEDA. Personal information of their workers is likewise covered by the Act.
Among these groups are:
In other situations, PIPEDA is not applicable. The following are a few illustrations:
While not really applicable to Canadian organizations anyone doing business may need to comply with this U.S. health care related act. The act's authors say they want to make it easier for law enforcement to crack down on fraud and abuse, cut down on red tape, and allow people in all walks of life to switch jobs without fear of losing health coverage if they do so, regardless of whether or not they or their family members have pre-existing conditions.
In Canada you may need to comply with the following provincial health care related legislation: PHIPA (Ontario), PHIPAA (New Brunswick), PIHA (Newfoundland), PHIA (Nova Scotia), HIPA (Saskatchewan)
Guidelines for collecting and using EU residents' personal data are spelled out in the General Data Protection Regulation (GDPR), a piece of European Union legislation (EU).
Any organization which establishes a commercial relationship with a company located in the European Union (EU) must comply with GDPR.
How does the GDPR affect you if you are within Canada? Those located outside of the EEA are subject to the GDPR if they "offer goods or services" (whether or not payment is required) to data subjects located within the EEA or monitor the behaviour of data subjects located within the EEA (Article 3(2)). Regardless of where the processing occurs, the regulation is still in effect. The implication is that businesses outside the EU that interact with EU residents are subject to GDPR's jurisdiction.
Already working with a web developer or database person? Have them confirm that your system complies with applicables laws and legislation as it applies to your line of business.
Want someone who will take care of it all? Let's chat! Our data platform automatically ensures all compliance.