There is a tangled web of legislation and acts governing personal information in Canada and how it may affect your website, database or web hosting.
Data protection at the federal and provincial levels, as well as sector-specific statutes like health privacy laws and related statutes like anti-spam and consumer protection statutes. Some of these mandate that victims of data breaches be informed and that the breach be reported. Today we look to cover the essential rules which you may need to comply with.
If your website provides an overview of services; you send out no email marketing; you store no personal data - then you are probably not bound to follow any of the below.
Within this article we will cover:
- Canada’s anti-spam legislation
- Personal Information Protection and Electronic Documents Act
- Health Insurance Portability and Accountability Act
- General Data Protection Regulation
In a nutshell CASL has been enacted to prevent spam. It gives the recipient a clear path to unsubscribe and looks to prohibit unwanted solicitation.
Organizations are barred from the following activities under CASL:
- Sending unsolicited commercial electronic messages such as email, social media posts, and text messages
- Changing electronic message transmission data to send a message to a different recipient without their knowledge and permission
- Installing software on their device without their knowledge and permission (including, in some cases, updates and upgrades, even if you were the one who installed the original software)
- Harvesting addresses (collecting and/or using email and other electronic addresses without permission)
- Engaging in fraudulent online advertising by making false or misleading claims about a product or service
Individuals can be fined up to $1 million and businesses up to $10 million for the most serious CASL violations.
To comply with PIPEDA, organizations must usually get a person's permission before they collect, use, or share their personal information. People who shared their data have the right to see what information an organization has about them and challenge its accuracy.
Personal information can only be used for the reasons it was gathered in the first place. If an organization wants to use it for something else, they need to get permission again.
Companies operating in Canada under federal jurisdiction are always subject to PIPEDA. Personal information of their workers is likewise covered by the Act.
Among these groups are:
- airfields, planes, and airlines
- financial institutions and authorised foreign financial institutions
- interprovincial and international transportation providers
- telecommunications providers
- offshore oil and gas drilling operations
- broadcasters on radio and television
In other situations, PIPEDA is not applicable. The following are a few illustrations:
- information about an individual's private life that is handled by federal agencies covered by the Privacy Act
- provincial or territorial governments or their agents
- the collection, usage, and disclosure of an employee's name, title, business address, telephone number, and email address for the sole purpose of corresponding with the employee about his or her work or profession is an example of business contact information
- data collection, usage, or disclosure by an individual solely for personal objectives (e.g. personal greeting card list)
- the sole objective of an organization collecting, using, or disclosing personal information is for journalistic, artistic, or literary purposes
While not really applicable to Canadian organizations anyone doing business may need to comply with this U.S. health care related act. The act's authors say they want to make it easier for law enforcement to crack down on fraud and abuse, cut down on red tape, and allow people in all walks of life to switch jobs without fear of losing health coverage if they do so, regardless of whether or not they or their family members have pre-existing conditions.
In Canada you may need to comply with the following provincial health care related legislation: PHIPA (Ontario), PHIPAA (New Brunswick), PIHA (Newfoundland), PHIA (Nova Scotia), HIPA (Saskatchewan)
Guidelines for collecting and using EU residents' personal data are spelled out in the General Data Protection Regulation (GDPR), a piece of European Union legislation (EU).
Any organization which establishes a commercial relationship with a company located in the European Union (EU) must comply with GDPR.
How does the GDPR affect you if you are within Canada? Those located outside of the EEA are subject to the GDPR if they "offer goods or services" (whether or not payment is required) to data subjects located within the EEA or monitor the behaviour of data subjects located within the EEA (Article 3(2)). Regardless of where the processing occurs, the regulation is still in effect. The implication is that businesses outside the EU that interact with EU residents are subject to GDPR's jurisdiction.
Already working with a web developer or database person? Have them confirm that your system complies with applicables laws and legislation as it applies to your line of business.
Want someone who will take care of it all? Let's chat! Our data platform automatically ensures all compliance.