Please see Privacy Part I to learn about the basics of privacy law, personal information, handling personal information, and how to assess if your business is complying with the privacy laws. If your business handles any personal information (including anyone’s name or email address), you should be thinking about your privacy responsibilities now.
Privacy laws in Canada are not all the same: some apply to all organizations that engage in commercial activities (including charities and not for profits when they sell, barter, or lease membership lists, for example), while others do not have a commercial requirement to be applicable, and some are limited to just one type of personal information (such as personal health information).
In this blog, we focus on how privacy laws apply to businesses, and specifically, to businesses that collect, use or disclose personal information in the course of a commercial activity. It does not matter what size your business is. What matters instead is: whether or not you handle personal information, and if you do, whether you are handling it in accordance with privacy laws.
Today’s blog was co-written by Karen Yamamoto, a commercial lawyer in Montreal specializing in privacy and technology law and the Co-Founder of Executive Counsel Group – Linkedin: https://ca.linkedin.com/in/karen-yamamoto-905ba9a
1) What is the risk to my business if I don’t comply with Canada’s privacy laws? Are there penalties?
If you wait to comply with privacy laws, penalties may be imposed for violations. The penalties for privacy law violations differ based on jurisdiction and the type of offence. For example, under current Quebec and federal privacy laws, the maximum penalties range from $10,000 to $100,000 depending on the circumstances. In fact, privacy laws are in the process of being overhauled, and some of the proposed changes could see penalties go as high as 5% of global revenue or $25 million Canadian for serious violations.
2) Example of violations of privacy laws.
Here are three examples of how small or medium businesses could violate privacy laws:
a) No proper privacy policy in place: The Recruitment Consultant who could not answer her customer’s questions.
Jane is the owner of an architectural firm in Saskatchewan and hired Armanda, an HR consultant, to handle the recruitment of new junior architects for the firm; Armanda reviewed resumes of several people through her consulting business’ email system.
Jane became curious about how Armanda’s company was handling the personal information of the candidates in her system. Jane asked Armanda for her privacy policy. Armanda had one; she had copied it from her friend who had a business selling logoed golf shirts to companies.
Once Jane read Armanda’s privacy policy, Jane became quite concerned. The policy did not seem to cover resumes, salary information, addresses, family information, or how candidates’/clients’ personal information would be protected. Instead, it spoke about “protecting credit card information of customers.”
Armanda had just copied a policy that applied to a business totally different from her own. Jane then asked Armanda what specific steps Armanda’s business took to protect personal information, and what Armanda would do if a job applicant withdrew their consent regarding the use of their personal information. Armanda was only able to say, “we keep all client information confidential.”
Is Armanda’s approach enough? Unfortunately, no. She does not have an applicable policy, she seems to confuse confidentiality with privacy, and she does not seem to understand that once consent has been withdrawn, she is generally required to stop handling the personal information of a person.
Not having a privacy policy or procedures in place can be a breach of privacy laws. Under Canada’s privacy laws, the HR consulting business could face penalties, especially if there was some kind of data breach.
b) Not obtaining a “meaningful consent” when required: The small tech company who shared a mailing list.
A small tech company in Ontario collects personal information from users including name and sensitive banking information. Express consent is obtained (via an opt-in “click” on its website) to collect and use the information for the purpose of “providing the software product”.
The tech company also shares this information with affiliate business partners (for joint marketing efforts). But their website does not mention this.
Consent remains key under Canadian privacy laws. This Ontario company breached privacy laws. You cannot get “meaningful consent” if you don’t tell people what you are really doing with their personal information. “Meaningful consent” means that individuals understand:
- What personal information of theirs you are collecting;
- With whom you are planning to share the personal information;
- Why you are collecting their personal information; and
- The risk of harm to the individuals and other consequences of the collection, use or disclosure of personal information to which they are consenting.
c) No data breach reporting process in place: The Dentist’s office that did not report a breach.
A dentist’s office in Manitoba gets hacked. Only one individual’s personal information (financial and sensitive medical information) was accessed. Given that security was tightened immediately after the incident and only one person was involved, the IT administrator decided nothing further was required to be done. The dental clinic had no data breach reporting process in place and as a result, IT did not inform anyone else of the breach.
Actually, the dental business could face penalties. Why?
Because in most provinces, an organization must record any loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of security safeguards or from a failure to establish those safeguards. If there is a real risk of significant harm to an individual because of the breach, notice would have to be provided to the individual and the applicable Privacy governmental authority and in some cases, other organizations. Failure to do all of these things
could result in penalties.
3) I copied another website’s privacy policy and put it on my website, does this cover the issue for my business?
Having a privacy policy is only one small aspect of privacy compliance. Other requirements include (to name a few):
- Did you get proper consent from the individual whose personal information you have?
- Have you trained your employees on the proper handling of personal information?
- Do you have a process or system to record all data breaches?
- Do you have proper contracts in place? For example:
- With employees: to ensure that they will protect the information that they handle?
- With suppliers: to ensure that they will (for example):
- protect the information you share with them, in the same way you would;
- use the information only for the permitted purposes; and
- allow you to audit them to ensure compliance.
Copying a privacy policy is not a good idea for many reasons (as we saw in one of our examples above):
- you may violate copyright laws by copying someone else’s work!
- your business’s privacy policy is supposed to describe in writing your business’ actual personal information handling practices.
- someone else’s policy may not be in compliance with the privacy laws of your jurisdiction.
4) If I have a privacy policy on my website, do I also need an internal company policy on privacy?
Yes, you still do! These two do different things. Generally, a website privacy policy describes how your business handles the personal information of website users and/or customers. The internal policy, on the other hand, tells employees how their personal information is handled by their employer and how employees in turn should handle the personal information of others.
5) I want to do the right thing. How do I actually know if my employees and company systems are adequately protecting Canadian privacy laws?
“Doing the right thing” here depends on the facts of your situation. A company that only collects a customer’s name and phone number will have very different obligations compared to a company that collects, uses and shares sensitive personal health and financial information via a third-party platform provider.
“Doing the right thing” usually involves a due diligence privacy audit to identify any gaps and risks. If identified, you may then need to obtain special software, implement more robust safeguards, create policies and processes and/or train staff.
6) At this stage in my business, I don’t think I can afford to hire someone to do an assessment of my business data privacy needs and risks. Are there any DIY options?
There are excellent free resources for businesses available on the Internet. A good first step would be to do a self-assessment for privacy law compliance using tools such as the one on the Canadian Privacy Commissioner’s website: https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda-compliance-help/pipeda-compliance-and-training-tools/pipeda_sa_tool_200807/.
7) What is GDPR? I keep hearing about it.
GDPR is a big topic and is beyond the scope of today’s blog. It stands for the General Data Protection Regulations.
The short answer: If your business is handling the personal information of individuals in the European Union, and at least one of the 3 scenarios below applies to your business, then GDPR may also apply to your business. In that case, meeting the standards of Canada’s privacy laws may not be enough.
GDPR would likely apply to your business if:
- You are established in the EU and process personal information in the context of your business activities;
- You process personal information in connection with your offering of goods and services (even without charge) to individuals in the EU, for example, through your website or mobile app; or
- You process personal information in connection with the monitoring of behavior of individuals in the EU, for example through the use of cookies on your website or mobile app to collect the IP address or other personal data from individuals.
GDPR is considered to be the toughest set of privacy laws in the world. However, as we noted above, some privacy laws in Canada are under review and could follow in the footsteps of the EU and GDPR and create one of the strictest data protection regimes in the world. Stay tuned!
8) Additional resources
There are many elements of privacy that an SME should be aware of including: how to obtain consent, how to train your employees and when to report data breaches to authorities.
If you have any questions, reach out to Karen Yamamoto, an experienced Privacy lawyer, directly at kmy@ecglegal.com.
Amee Sandhu has been a business lawyer in Ontario for 20 years. She created Lex Integra Professional Corporation in 2019 and focuses exclusively on business law and corporate ethics.
The purpose and contents of this blog is to provide information only, and it does not constitute legal advice. Reading this blog does not create a solicitor-client relationship between the reader and Amee Sandhu, Lex Integra, or any of the guest lawyers who co-write these blogs.
It is recommended to engage (hire) a lawyer if you require or are interested in legal advice.
Connect with Amee