Canadian Underwriter

Paid 3 Ways Small Businesses Can Stay Compliant Under Federal Privacy Laws

May 27, 2019   by David Smagata, DAS

Print this page Share

How can small businesses stay compliant under PIPEDA?

The Office of the Privacy Commissioner of Canada has published various online resources for both individuals and businesses to help better understand their obligations under the Personal Information Protection and Electronic Document Act (“PIPEDA”). Here are 3 tips on how small businesses can stay compliant under PIPEDA:

  1. Appoint an internal Privacy Officer: Appoint someone within the business to help facilitate ongoing compliance. Appointing an individual not only signals that you are holding someone accountable for this initiative – but it also helps ensure that personal information collecting practices are done under the Privacy Commissioner of Canada’s recommended guidelines and that the business remains compliant.
  1. Train Your Staff About PIPEDA: In Schedule 1 of Act 1 – organizations are expected to follow a code for the protection of personal information which was developed in conjunction with the Canadian Standards Association. The 10 principles include things like accountability, identifying purposes, consent, limiting collection, limiting use, accuracy, safeguards, openness, individual access and challenging compliance. Training your employees about these principles and guidelines can help ensure there is an understanding by all staff on PIPEDA matters. For additional details, please review the Privacy Toolkit provided by the OPC: 
  1. Audit of Information Collecting Practices: Having an internal audit either on a quarterly basis, bi-annual basis or annual basis demonstrates a businesses’ desire to place privacy information collection practices as a priority. Having these audits can also ensure that your business remains compliant under federal privacy laws. Along with helping to prevent privacy breaches, being able to provide evidence of a consistent privacy plan could also mitigate the amount of any fine or damages which could be made against the company.

In the event of an investigation under PIPEDA, there are three stages. Once an investigation begins, either initiated by an individual complaint or an issue that was identified by the Office of the Privacy Commissioner of Canada (OPC), it moves into the ‘Intake’ stage. During this stage, the unit reviews complaints and gathers additional information to move into the ‘Investigation’ stage. Once the complaint is accepted, the investigation commences. If the complaint cannot be easily resolved, a formal investigation will be required. The complaint may then move through the ‘Further Enforcement Tools’ stage.  Following the completion of the Privacy Commissioner’s investigation, a business can then face civil action for damages from the individuals who were affected by the breach.

As of November 1st, 2018, regulations came into place now requiring organizations to notify affected individuals and the OPC in the event of a serious data breach. Organizations must keep a report of all breaches, but only need to report breaches that pose a real risk of “significant harm”.  In assessing whether a breach creates a real risk of significant harm, the organization will need to consider: the sensitivity of the personal information, and the probability that the information has been, is being or will be, misused.

Taking steps to ensure your business remains compliant under federal privacy laws will require time and commitment from your organization. It also just makes good business sense, as your customers place a high value on you taking all steps possible to keep their data safe. Fortunately, business owners can use the numerous resources, published by the Office of the Privacy Commissioner of Canada that will help ensure they remain compliant. For more information visit:

David Smagata – Vice President, Claims & Chief Legal Officer

As Chief Legal Officer and an Insurance Executive, David Smagata leads Claims, Compliance, and Legal in the management of compliance risk, liability and litigation, and corporate oversight for DAS Legal Protection Inc. With almost 20 years of experience in litigation, in conjunction with strong managerial and operational background experience, David brings an insightful and proactive approach to legal issues and a unique ability to solve complex legal and corporate challenges in the financial services field.

Print this page Share

2 Comments » for Paid 3 Ways Small Businesses Can Stay Compliant Under Federal Privacy Laws
  1. Wendy says:

    Should a investment firm keep copies of a driver license in the clients paper files?

    • The Office of Privacy Commissioner of Canada website is a useful place to start any such question about best practices. I have included two links below which may be of assistance.

      With respect to your question, the following link provides a good background on the use and retention of Driver’s Licence information:

      The guide outlines the concerns about keeping Driver’s Licence information because they contain so much personal information: “photograph of licensee, address, birth date, signature, physical description (such as height or need for corrective lenses)”. The guide does point out that businesses that fall under certain legislation, such as financial institutions, do have a requirement to record a driver’s licence number for certain transactions. The example provided was under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act and Regulations.

      I did find a further guideline from the Financial Transactions Report Analysis Centre of Canada (FINTRAC) regarding methods to identify individuals:

      The guideline speaks of using the driver’s licence as a means to identify the person, and then outlines what information from the card you need to record. The information you need to record does not include all the information available on a driver’s licence, so retaining a photocopy of the full licence may be a concern.

Have your say:

Your email address will not be published. Required fields are marked *