May 27, 2019 by David Smagata, DAS
How can small businesses stay compliant under PIPEDA?
The Office of the Privacy Commissioner of Canada has published various online resources for both individuals and businesses to help better understand their obligations under the Personal Information Protection and Electronic Document Act (“PIPEDA”). Here are 3 tips on how small businesses can stay compliant under PIPEDA:
In the event of an investigation under PIPEDA, there are three stages. Once an investigation begins, either initiated by an individual complaint or an issue that was identified by the Office of the Privacy Commissioner of Canada (OPC), it moves into the ‘Intake’ stage. During this stage, the unit reviews complaints and gathers additional information to move into the ‘Investigation’ stage. Once the complaint is accepted, the investigation commences. If the complaint cannot be easily resolved, a formal investigation will be required. The complaint may then move through the ‘Further Enforcement Tools’ stage. Following the completion of the Privacy Commissioner’s investigation, a business can then face civil action for damages from the individuals who were affected by the breach.
As of November 1st, 2018, regulations came into place now requiring organizations to notify affected individuals and the OPC in the event of a serious data breach. Organizations must keep a report of all breaches, but only need to report breaches that pose a real risk of “significant harm”. In assessing whether a breach creates a real risk of significant harm, the organization will need to consider: the sensitivity of the personal information, and the probability that the information has been, is being or will be, misused.
Taking steps to ensure your business remains compliant under federal privacy laws will require time and commitment from your organization. It also just makes good business sense, as your customers place a high value on you taking all steps possible to keep their data safe. Fortunately, business owners can use the numerous resources, published by the Office of the Privacy Commissioner of Canada that will help ensure they remain compliant. For more information visit: https://www.priv.gc.ca/en
As Chief Legal Officer and an Insurance Executive, David Smagata leads Claims, Compliance, and Legal in the management of compliance risk, liability and litigation, and corporate oversight for DAS Legal Protection Inc. With almost 20 years of experience in litigation, in conjunction with strong managerial and operational background experience, David brings an insightful and proactive approach to legal issues and a unique ability to solve complex legal and corporate challenges in the financial services field.
Should a investment firm keep copies of a driver license in the clients paper files?
The Office of Privacy Commissioner of Canada website is a useful place to start any such question about best practices. I have included two links below which may be of assistance.
With respect to your question, the following link provides a good background on the use and retention of Driver’s Licence information:
https://www.priv.gc.ca/en/privacy-topics/identity-and-privacy/drivers-licences/guide_edl/
The guide outlines the concerns about keeping Driver’s Licence information because they contain so much personal information: “photograph of licensee, address, birth date, signature, physical description (such as height or need for corrective lenses)”. The guide does point out that businesses that fall under certain legislation, such as financial institutions, do have a requirement to record a driver’s licence number for certain transactions. The example provided was under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act and Regulations.
I did find a further guideline from the Financial Transactions Report Analysis Centre of Canada (FINTRAC) regarding methods to identify individuals:
http://www.fintrac-canafe.gc.ca/guidance-directives/client-clientele/Guide11/11-eng.asp
The guideline speaks of using the driver’s licence as a means to identify the person, and then outlines what information from the card you need to record. The information you need to record does not include all the information available on a driver’s licence, so retaining a photocopy of the full licence may be a concern.