Updates to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA): What It Is + What It Means for You

At Okta, we know that privacy is a growing concern at every organization. Privacy regulations around the world are evolving rapidly, and since the GDPR took effect earlier this year, we’ve seen the bar for privacy being raised increasingly higher. On November 1, Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) will undergo an important update regarding the events that follow a security breach. Here’s an overview of the PIPEDA changes:

What is PIPEDA? PIPEDA is a Canadian law that addresses data privacy and that was designed to promote consumer trust in e-commerce. It governs how private sector organizations collect, use and disclose personal information in their commercial business. Additionally, PIPEDA facilitates the use of electronic documents. PIPEDA is supplemented by substantially similar provincial privacy laws in Alberta, British Columbia and Québec, and applies to international and interprovincial transfers of personal information.

How is PIPEDA changing? Starting on November 1, organizations subject to PIPEDA will need to comply with three new requirements. First, they’ll need to notify the Privacy Commissioner of Canada of any data breaches of security safeguards involving personal information that pose a risk of significant harm to individuals. Second, covered organizations would need to notify individuals affected by such breaches. Third, those organizations will now be required to keep records of data breaches for two years.

What’s "significant harm"? Canada’s Privacy Commissioner has issued guidelines on this subject, which explain that a multi-factor approach will be used to make the determination. These factors include consideration of the sensitivity of the information that was disclosed, the probability of misuse, whether there is evidence of malicious intent (such as hacking or theft), and whether or not the personal information was adequately encrypted, anonymized, or otherwise not easily accessed.

Okta’s Approach to Data Privacy & PIPEDA The security and privacy of our customers’ data is of paramount importance to Okta. It is the foundation of everything we do and the trust our customers place in us. When it comes to data privacy, our approach is very simple. It can be summed up in three, key points:

• Our customers’ data always belongs to them.

• Okta will only use customer data to provide the Okta service back to our customers.

• It’s our fundamental responsibility to do our very best to protect our customers’ data and keep it secure.

At Okta, we welcome the arrival of the PIPEDA update, and we believe that our products and services can help our customers meet their own PIPEDA compliance needs. For example, Okta customers who use Okta Single Sign-On have greater visibility into the third-party applications that are used by their organization, in order to be better determine which third-party applications have access to their employees’ and users’ data. For customers that use Okta’s Multi-Factor Authentication service, they’ll be better-positioned to fend off attackers who leverage weak or stolen credentials, and can therefore reduce the chance that they’ll experience a breach. Similarly, Okta’s Lifecycle Management service allows customers to seamlessly provision and deprovision users, which, in turn, helps limit the sharing of personal data only to applications that truly need it. While every organization’s PIPEDA compliance is ultimately its own responsibility, and no product or service can act as a silver bullet, Okta can serve as a powerful tool in helping to achieve and maintain compliance.

This blog post contains legal information, but should not be relied on as legal advice. If you or your organization have questions regarding PIPEDA, data privacy laws, or any other topics addressed in this blog post, you should discuss them with an attorney. In addition, the Office of the Privacy Commissioner of Canada has made resources available regarding the PIPEDA update, online at https://www.priv.gc.ca/en/about-the-opc/what-we-do/consultations/consultation-pb/gd_pb_201809/ .