Hello, everyone. It's Chris Stevens, a privacy gremlin. It's my pleasure to welcome you back to the InfoSec Institute's learning path, information privacy essentials for cybersecurity professionals. It's extremely important time for professionals in any discipline to become familiar with information privacy and data protection as it exist around the globe. That requires your familiarity with global laws, international laws, governing data protection and information privacy regulations and the like. It also requires in countries like United States, familiarity also with laws at the state level because the US does not have that overarching data protection law we've talked about earlier in this course. We're going to continue our discussion on significant international data protection and information privacy laws, with our discussion on Canada's Personal Information Protection and Electronic Documents Act of 2000 (PIPEDA). I was teaching a privacy technology course in Toronto for another vendor in 2018 and had the opportunity to have representatives from the office of the privacy commissioner's office. I share some interesting insights and on the weaknesses that existed in PIPEDA. Canada has two privacy laws at the present. We have the Privacy Act, much like the Privacy Act of 1974 in the United States that we're going to talk about later in the learning path. It governs how the Canadian government itself collected, processes personal data. Then it also has, when it applies a commercial entities, which is PIPEDA, the Personal Information Protection and Electronic Documents Act of 2000. We're going to talk about that in short term. Canada is also considering introducing a new privacy law that more closely aligns it with the provisions that you might find in the GDPR. It provides greater protections to Canadian citizens, as well as holds companies themselves more accountable for how they collect, use, disclose, retain and dispose the Canadian residents' or Canadians' personal information or personal data. Now, Canada's early in this process with these laws. We'll be watching with bated breath to see again, where it goes with this law. It's Digital Charter Implementation Act that'll be coupled with a Consumer Privacy Protection Act or Data Protection Act, so more to follow. We want to continue our discussion. Hopefully, you're having a great day. But I think it's important we talk about PIPEDA. I made a mistake. I was taking a certification with the entity itself, and I thought that PIPEDA was so close there at the time, West European Union's data protection directive, that I bought the book. Read it one day, and took the test next day, which was a terrible decision. What I learned was that again, this law itself has his own nuances. It's not a cookie-cutter approach or any other international laws tailored that was developed for Canadians. We're going to talk about that. We're going to talk about PIPEDA's purpose. We're going to talk about like we talked about before when it's applicable, when it's not applicable. We're going to talk about the relationship, which is unique with PIPEDA, the federal national government and Canada, and its relationship with its provinces, and how they co-implement these privacy laws at the national level and at the provincial level. Some as international requirements, how it defines personal information. Some of those areas' not covered by PIPEDA. Then we'll conclude with a summary. Let's talk about PIPEDA's purpose. Much like we saw across the globe at the advent, beginning of 21st century, technology had outpaced existing laws. We had a broader use of the Internet. We had greater use of automated capabilities for collecting large volumes of individual personal data , processing that information. But in many cases, we didn't have the ability to hold these entities accountable for how they process that information. With the enactment of PIPEDA in 2000, it provided guides to those commercial entities in most cases on how they had to collect users, close, retain, and when appropriate disposal of a Canadian's personal information. It passes law to make sure that they established those guidelines, those rules for these commercial entities on how they could process that information legally and lawfully. Like many of the laws that we talked about previously, it highlights the importance of recognizing and respecting the rights and freedoms of individuals. PIPEDA has another law that looks at data protection and privacy as a fundamental human right and so it should be cherished. Then it established those rules that guide those covered entities that have to comply with PIPEDA and how they're supposed to engage in information lifecycle management, which consists of five phases; collection, use, disclosure, retention, and disposal of personal information or personal data or the variant, however that's defined in your station. It takes a reasonable expectation approach where again if a company is going to engage in processing a Canadian's personal information or personal data, they should do so reasonably so that if anyone looked at those processes and activities, they would believe that again, they were fair, lawful, and transparent. When is PIPEDA applicable and when is not applicable. It applies when network organization engages and collects personal data, personal information for commercial activities. We highlight commercial activities because, in this instance, we're not talking about non-for-profit companies when it deals with an employee of an organization. So you have a company that is processing the personal information of its employees. Or we look at it when it defines that commercial entity as a company that's engaging in these commercial activities in compliance with this law. When is it not applicable? It's not applicable to the Canadian government. That's why it has the Privacy Act. The federal government itself, the national government is processing an individual's personal information, personal data to provide them with benefits and services. Just like a constant thing we talked about in the earlier laws that we talked about in this course, if you are jazz, have your own home household directory, not using it for commercial purposes, only using it for personal reasons, then again, the law doesn't apply. It also doesn't extend to cases of freedom of expression or when we're looking at the use of this personal information for journalistic, artistic, or literary purposes. What else doesn't PIPEDA cover? It has this arrangement which several of its provinces that if they have passed privacy laws that are equal to or exceed the requirements dated in PIPEDA, then they could implement their own provincial or territorial governmental laws. Doesn't apply to political parties and associations. We've already stated it doesn't apply to not-for-profit and charity groups. It doesn't account for, we talked about employee information that doesn't include their employee's name, their work title, the business address, and telephone or their business or work email address. Doesn't apply in most cases to municipal, local jurisdictions, schools, and hospitals. They are covered under other laws at the provincial level. Now in some instances, PIPEDA may apply. Let's talk about that unique relationship. In this case, we would use the term preemption if you were here in the United States, the relationship between federal authority and state authority. But PIPEDA respects the rights and freedoms of its provinces. It allows them to enact their own private sector privacy law of like out-of-body has an arterial that it has when it applies at public health, as long as their laws have been deemed substantially similar to or exceeding that of PIPEDA. Those organizations that have to comply with these provincial laws, that meet or exceed the requirements and PIPEDA will then comply with those provincial or territorial laws. Now, you got Alberta, you've got British Columbia, and Quebec that have been deemed to have provincial laws that are substantially similar to PIPEDA. You got Ontario from a public health perspective, but Ontario, New Brunswick, Nova Scotia, Newfoundland, they have also developed their own unique data protection privacy laws and they're applied in processing and handling of personal health information. Intriguing. So let's talk about international transfers. This is a common theme. You're going to see this, an existing laws and new laws. Countries will always be concerned with whom they're residents' personal information, personal data is shared because we want to ensure that the rights and freedoms of those data subjects are protected. They went ensure that the recipients of that data, whether they are a third country or an international organization, have the adequate level of privacy protections in place to ensure that their information is not going to be used for subsequent purposes that might infringe upon the rights and freedoms of those individuals, PIPEDA is no different. When you look at it, if you are a business that's licensed to operate in Canada and you're processing personal information that crosses over a national border outside of Canada, then you have to comply with PIPEDA. Whether are the province or territory in which their based. What does that mean? That means that you have to account with whom you transfer a Canadians personal data, regardless if in Ontario, Nova Scotia, or whatever the province and territory that you're operating in. If you are a federally regulated company that is licensed the operator to conduct businesses in Canada, then you're always going to be subject to PIPEDA, and that applies to the [inaudible] of an employee's personal data outside of exemptions that I mentioned previously. Some of those federally regulated organizations that we're talking about are airports, aircraft, and airlines, banks, authorized foreign banks, inter-provincial or international transportation companies, telecommunications companies, offshore drilling operations, and then radio and television broadcasters. So if you look to the territories, if you are a company or business and you're operating on one candidate's territories, the Northwest Territories, Yukon, Nunavut, then you're considered to be federally regulated and you have to comply with PIPEDA. How does it define personal information? Much like the other definitions, we talked about really as any information, in this case, this is where PIPEDA varies from other jurisdictional laws and is more broadly define when we talk about personal information, it can be factual, objective information, or it can be subjective information. Whether is recorded or not, meaning that it can be oral and writing about identifiable individual. In this case, we're talking about a natural person and we define natural person before is that person is living and breathing here with us today. It accounts for in here, we look at a blending of some of those terms that we use in other jurisdictional laws, like again, special private information or in the case of the GDPR, special categories of data. So if you look at these identifiers, some of these, we've talked about before, name, age, ID numbers, your income, we talk about ethnic origin, we talk about blood type. But here is where the law gets tricky. Now is talking about opinions, evaluations, comments, social status, disciplinary actions that are also defined as Personal Information. It defies what it means when he talks about that personal information associated with an employee, play file, your credit records, loan records, medical records, any disputes between a consumer and a merchant, intentions, intentions to acquire goods or service or even to change jobs. Just defined as personal information and it has to be protected under PIPEDA. Let's talk about PIPEDAs fair information practices. We've seen these when we get to the course that talks about US laws, we talk about fair information practices, we talk about fair information practice principles. We're going to see some of these terms because again, many of these are applicable to many global jurisdictions and they've been incorporated many of our organizational policies, procedures, guidelines, and standards. Let's look at Principle 1, accountability. You're accountable for how you handle and protect the personal information under PIPEDA that you've collected. You got to put somebody in charge of your program then ensure that you're compliant at all times. You got to state the purpose and you have to give notice of what's the legal purpose for which you're collecting and processing this personal information and you have to give this notice before at the time of collection. This is where experts information technologies have made cybersecurity professionals could come in and create technologies, incorporate those into your information systems, information and communication technologies at the first instance to where an individual is going to provide his or her personal information that you can give them a just in time notice, dialog box pops up. You give them this state at notice why you're collecting this information for what purpose, and then you give them the opportunity to execute their own customer preferences out. Can opt-in if required in the law opt-out. Consent, we've talked about consent. If you don't remember one thing I mentioned about consent earlier in this course, remember it is fickle. When you talk about what legitimate basis, legal basis for collecting and processing of personal information as easily as it's granted by the consumer data subject, it can be withdrawn. You have to give notice to that individual again to get their consent in many cases before you collect use, disclose retain or dispose of information except when deemed inappropriate under PIPEDA. You got to have a sense of necessity and proportionality. You only collect the personal information from Canadians that you need to conduct that specific transactional activity. Not too many times if you go to websites like the privacy rights clearing house.org website, you've seen since 2006 documented innumerable data breaches that again result in because companies themselves are noncompliance with their applicable jurisdictional laws over-collected and then hand that information well beyond its legal or lawful purpose. You'll make sure that you collect the information fairly and lawfully, you want to be transparent and your purposes for collecting that information you want to, again be proportionate in that collection of information limiting use, disclosure, and retention. Now you've got to make sure that you only retain this information for as long as it has a legitimate business purpose or as defined under applicable laws. Then you've got to get rid of it. The thought that you can keep someone's personal information and personal data in perpetuity no longer exists. When you have that security answering or data breach or complaint from a data subject or individual to, in this case, the Office of the Privacy Commission or another regulator's advice authority, they're going to look at you to [inaudible] for engaging in just really unacceptable data protection and privacy practices. You got to know why you're retaining that information, you got to disclose that for what purpose. You got let them know when you're going to dispose of that information. You owe that to the consumer when it's required under the law. Let's talk about the FIPS from 6-10. We want to make sure that, again information's accurate is complete and up to date because we've seen in the past that we're inaccurate information that cause privacy harms and created privacy invasions of the intimacy of individuals, their families, their communications. Privacy and security work hand in hand. You've got to protect the data from the time that you collect it. That can be based on the origin sensitivity and the risk associated with the process and that information. You got to be open. Again, this goes back to having that relationship with your consumers and your employee for because you're protected under PIPEDA. That they fully know what your privacy practices are, your data protection practices are about your collection uses scholars retention and disposable of that information. Individual access is becoming more increasingly important. We have rights regardless of where you are around the globe and many of these laws and says, "Hey, I have a right company, business, organization to know what you've collected on me, to be able to review that information." Some of these laws have certain time periods, and we said a company has to go back and look at their active and backup networks. But I have a right to correct that information when appropriate. I have right to challenge whether the information is accurate and then request that the company or business take the appropriate steps to correct that information. I got a right to dispute and complain. If I, as a Canadian resonant, believed that an organization that's covered by PIPEDA is engaging or non-compliant with this important [inaudible], then again, I have the ability to complain to also the privacy commissioner. Now again, initially what you're going to do is contact that organization and copy that business, submit your complaint to its privacy officer or the individual responsible for managing its data protection and privacy practices. One of the unique things about PIPEDA though, is, unlike in other jurisdictions, that the Office of the Privacy Commissioner has limited in how it can exactly or actually assess fines against companies. It has to go to court and have the court do that. One of the limitations in PIPEDA. Let's talk about PIPEDA. It was in 2000 that we had the enactment of PIPEDA, and we said PIPEDA applies to commercial entities, federally regulated entities, whether it's federally regulated by the federal government or your company operating in a province or one of those stated territories. It has an expanded definition of personal information. It can be factual, subjective, recorded, or not. One of the uniqueness of these laws is that relationship that PIPEDA has with Canadian provincial and territorial privacy laws that if they has significantly similar to PIPEDA as defined under the law, then again, companies and organizations operating within those provinces or territories will comply with the provincial or territorial privacy laws. It doesn't apply to federal government agencies. Remember, foot stamp, it applies to those commercial entities that have to comply with PIPEDA. It has provisions for the international transfer of data and accountability. It has those 10 fair information principles or practices that dictate and provide guidance, organizations, institutions, and companies that must comply with PIPEDA on how they can engage in their appropriate data governance or information lifecycle management activities, collection, use, disclosure, retention, and disposal of personal information. Hey, we've reached the end of the course. I hope that you've enjoyed our discussion. There are many more privacy laws out there like Japan's. That's interesting. Japan itself receive that adequacy status from the European Commission in 2019. Now we can share information or obtain information as companies and businesses as if they were a European Union country. It created the largest agreement that we have as of 2019 of sharing data between two jurisdictional entities. I hope you, your families, and your significant others are safe and well. I look forward to seeing you in our next course. As always, it's a pleasure to be your instructor saying, take care from the privacy Gremlin, Chris Stevens. Thank you for spending time with me.
