In Canada, the Office of the Privacy Commissioner ensures compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA). This applies, in particular, to all federal works, undertakings and businesses engaged in commercial activities involving the interprovincial or international disclosure of personal information. Federal works, undertakings and businesses that handle personal information must comply with PIPEDA with respect to the collection, use and disclosure of personal information.
Depending on the nature of the organization, its location or geographical scope, other laws may apply. In fact, Alberta, British Columbia and Quebec have enacted so-called “substantially” similar legislation to PIPEDA. In Quebec, the law on the protection of personal information in the private sector applies to the activities of provincial businesses within the province.
Personal information is generally defined as any information about an individual that allows the individual to be identified. It is information that, when taken alone or in combination with other personal information, makes an individual identifiable. For example: name, address, e-mail address, date of birth, bank information, race, religion, medical record, social insurance number, etc.
Effective November 1st, 2018, new data breach reporting and record-keeping requirements apply. Organizations subject to PIPEDA are now required to, among other things:
- Determine whether the infringement presents a “real risk of serious harm” to an individual;
- Notify the persons whose information is affected by the breach of security measures;
- Notify the Office of the Privacy Commissioner of Canada;
- Notify any other organization that may reduce the risk of harm that may result from the breach;
- Maintain a record of infringements for 24 months.
Violations of these new provisions can result in fines of several thousand dollars.
In May of the same year, the European Union brought into force the General Data Protection Regulation (DGPS), the scope of which extends well beyond Europe’s borders. Indeed, any company – even if established outside the European Union – that processes data, targets customers, or offers goods and services to European residents is subject to the DGPS. The penalties for infringements are rather high, reaching up to €20 million or 4% of the company’s worldwide turnover, whichever is higher.
With the proliferation of electronic data use and sharing, data protection is becoming essential. As a result, the legislative and regulatory framework in this area has become more demanding for several organizations. Fortunately, the insurance industry has adapted to this reality by offering products designed to help them deal with it.
But how? This will be the subject of our next chronicle.
To consult in .PDF format, click here.