SlideShare a Scribd company logo

Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018

Next Dimension Inc.
Next Dimension Inc.

Siskinds, a leading Law Firm in Ontario, presented updates on PIPEDA legislation including what you need to know, and what you need to do in order to ensure your company is compliant.

Technology
1 of 52
Download to read offline
Next Dimension PIPEDA Legislation WHAT YOU NEED TO KNOW | WHAT YOU NEED TO DO This presentation does not constitute legal advice, norshould it be construed as such. The opinions expressed herein are solelymine, and theydo not necessarilyrepresent the views of Siskinds LLP, its partners,associates or affiliates.
Bio Drew is anassociate inSiskinds’Technology,Privacy andFranchise Group. His practice focuses on providing legal services to businesses involvedin the manufacture anddistributionof goods and services via franchising,multi-level marketing, andtechnology transfer,development,distributionand licensing. He advises clients onmatters relatingto cybersecurity,data protection,privacy andanti- spam, including PIPEDA,Privacy Shield and GDPR compliance. Practice Areas Data protection| Cybersecurity | Privacy Drew Johnson, Technology and Cyber Security Group
What is PIPEDA? The Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal privacy law for private-sector organizations. It sets out the ground rules for how businesses must handle personal information in the course of their commercial activities.
What does PIPEDA apply to? PIPEDA applies to the collection, use or disclosure of personal information in the course of a commercial activity.
What does PIPEDA not apply to? Organizations that do not engage in commercial, for-profit activities.
Geographic Scope Unless the personal information crosses provincial or national borders, PIPEDA does not apply to organizations that operate entirely within: • Alberta • British Columbia • Quebec
What is personal information? Personal information is data about an “identifiable individual”. It is information that on its own or combined with other pieces of data, can identify you as an individual.
What Does Personal Information Include? • Age • Credit card numbers • Race, national or ethnic origin • DNA • Social Insurance number or driver’s license • Opinions, comments or view about you as an employee
What is generally not considered personal information? • Information that is not about an individual because the connection to a person is too weak or far removed (a postal code). • Information about a business or organization. • A person’s business contact information. • Name, title, and place of business.
10 Principles of PIPEDA The 10 fair information principlesthat businessesmustfollow: Accountability IdentifyingPurposes Consent Limiting Collection Limiting Use, Disclosureand Retention Accuracy Safeguards Openness IndividualAccess ProvideRecourse
1. Accountability • Appointment of individual as Chief Privacy Officer. • Establishment of a “privacy team”. • Development of policies and procedures for the collection and protection of personal information. • Communication to customers/clients of the “go to” person for privacy matters.
2. Identifying Purposes • Purpose must be clearly identified. • Collection must be confined to what is necessary to complete the purpose. • Inform of purpose at the time personal information is collected. • Purposes must be communicated such that individuals will clearly understand all of the uses to which the information may be put.
3. Consent • Must be obtained from customers/clients to the collection and use of their personal information. • Express v. Implied Consent. • Sensitivity of information – if the personal information is sensitive in nature then express consent should be obtained.
4. Limiting Collection • Only that information that is reasonably necessary to fulfill the stated purpose may be collected. • Need to consider carefully whether information that is being collected is really required for the purposes .
5. Limiting Use, Disclosure and Retention • Once collected, the information may only be used for the purposes stated. • If purposes change, new consent is required. • If information will be disclosed to third parties, consent must be obtained. • Personal information should only be retained for so long as is reasonably necessary to satisfy the purposes for which it was collected. • When purposes are complete, information should be disposed of.
6. Accuracy • Obligation to keep personal information up to date, complete and accurate. • Make corrections as necessary.
7. Safeguards • Develop and implement a security policy to protect personal information. • Consider where and how personal information is stored and who has access. • Must be protected against loss, theft and unauthorized access. • Only those employees who need to make use of personal information should have access. Note: PIPEDA does not specify particular security safeguards that must be used. Rather, the onus is on organizations to ensure that personal information is adequately protected
More on Safeguarding…. • Use appropriate security safeguards to provide necessary protection. • Degree of security to be exercised will depend on a number of factors. • Factors to Consider: • sensitivity • amount • extent of distribution • format • type of storage
8. Openness • Employees need to be aware of the policies and the procedures regarding privacy matters. • Customers/clients need to be informed of the existence of privacy policies and what the practices are. • Communication of rights and responsibilities. • Responsiveness to customers’ privacy related requests.
9. Individual Access • Individuals are entitled to review their personal information on request. • Corrections may be requested and should be made if appropriate. • Response within 30 days of request.
10. Challenge Compliance/Provide Recourse • Development of complaint procedures. • Should be straight forward and easily accessible. • Responsiveness to complaints. • Investigation. • Corrective measures. • Satisfaction of individual complainant.
Most Common Complaints • Improper collection, use and/or disclosure of personal information. • Difficulty obtaining access to personal information. • Refusal to correct personal information. • Inadequate safeguards.
Your Responsibility as a Business • Comply with all 10 of the Principles. • Protect personal information against loss or theft. • Protect personal information regardless of the format in which it is held. • Safeguard the information from unauthorized access, disclosure, copying, use or modification.
Breach of Security Safeguards.
A breach of security safeguards is defined in PIPEDA as: • the loss of, • unauthorized access to or • unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards, or from a failure to establish those safeguards.
Duty to report to OPC - RROSH PIPEDA requires you to report to the Office of the Privacy Commissioner any breach of security safeguards involving personal information under your control if it is reasonable in the circumstances to believe that the breach of security safeguards creates a real risk of significant harm to an individual.
Significant Harm Significant harm includes: • bodily harm, • humiliation, • damage to reputation or relationships, • loss of employment, • business or professional opportunities, • financial loss, • identity theft, • negative effects on the credit record and • damage to or loss of property.
Relevant Factors - RROSH Factors that are relevant to determining whether a breach of security safeguards creates a real risk of significant harm include: • the sensitivity of the personal information and • the probability the personal information has been/is/will be misused.
Sensitivity PIPEDA does not define sensitivity. Although some information (for example, medical records and income records) is almost always considered to be sensitive, any information can be sensitive, depending on the context. • Names and addresses of subscribers to a newsmagazine would generally not be considered sensitive information. • Names and addresses of subscribers to some special-interest magazines might be considered sensitive.
Circumstances Following a breach, to determine sensitivity, it is therefore important to examine both what personal information has been breached and the circumstances. • Certain information may on its face be clearly sensitive. Other information may not be. • The circumstancesof the breach may make the information more or less sensitive. The potential harms that could accrue to an individual are also an important factor.
Probability of Misuse Several questions you need to consider: • What happenedand how likely is it that someone would be harmed by the breach? • Who actuallyaccessedor could have accessed the personal information? • How long has the personal informationbeen exposed? • Is there evidence of maliciousintent (e.g., theft, hacking)? • Were a number of pieces of personal informationbreached? • Is the breached informationin the hands of an individual/entity that represents a reputationrisk to the individual(s)in and of itself? • Was the informationexposed to limited/knownentities who have committed to destroy and not disclosethe data?
Contents of Report to the OPC All prescribed information (see Annex).
Timing of Report to the OPC As soon as feasible after determination that the breach has occurred.
Notification to Individual You must notify an individual of any breach of security safeguards involving the individual’s personal information under your control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual.
Contents of Notification The notification must contain sufficient information to allow the individual to understand the significance to them of the breach and to take steps, if any are possible, to reduce the risk of harm that could result from it or to mitigate that harm
Form and Manner of Notice The notification must be conspicuous and shall be given directly to the individual in the prescribed form and manner.
Notification to Organizations If you notify an individual of a breach of security safeguards, you must also notify any other organization or government institution of the breach if you believe that the other organization or the government institution may be able to reduce the risk of harm that could result from it or mitigate that harm.
Time to Give Notification to Individuals and Organizations The notification must be given as soon as feasible after the organization determines that the breach has occurred.
Records
Maintenance of Records You must keep and maintain a record of every breach of security safeguards involving personal information under your control.
Access by the OPC You must, on request, provide the Commissioner with access to, or a copy of, a record.
Offences
It is an offence to: • Fail to comply with breach notification requirements. • Fail to maintain a record of breaches of security safeguards. • Destroy personal information that an individual has requested. • Obstruct a complaint investigation or audit by the Commissioner or their delegate.
Incident Response Plans The Keystone of Data Breach Response
What is an Incident Response Plan? The IRP is the keystone internal policy necessary to help an organization detect and react to computer security incidents, determine their scope and risk, respond appropriately to the incident, communicate the results and risk to all stakeholders, and reduce the likelihood of the incident from reoccurring.
Why Does an Organization Need an IRP? An IRP is necessary policy to respond to a data incident in a timely manner, reducing reputational damage and potential liability. • The number of publicly disclosed data breaches rose by almost 50% in 2017 over 2016.* • 61 percent of breach victims in 2017 were businesses with under 1,000 employees.* • By responding quickly to and containing a data breach, companies average a savings of over $1 million.* Source: 1. IdentityTheftResource Centre 2017 Annual Data Breach Year-End Review 2. 2017 VerizonData Breach InvestigationsReport 3. 2018 Cost of a Data Breach Studyby Ponemon
What is Included in an IRP? • A list of the members of the Incident Response Team (IRT); • Roles and responsibilities for the members of the IRT; • A list of critical network and data recovery processes; • A list of the tools, technologies, and resources available to assist the response; and, • A business continuity plan.
Legal Counsel and the IRP An organization’s ability to keep cybersecurity efforts privileged is stronger where the organization has taken each of these steps: • Follow counsel’s directions for action; • Set clear rules regarding communication; and • Hire and manage outside vendors through counsel.
Disclosure of Data Incidents Important role of legal counsel is to provide an organization with advice on disclosure obligations and in drafting appropriate communications. Following a data security incident, there are various disclosure and reporting obligations imposed on organizations.
How Often Should IRP Training Occur? An IRP is useless unless all of the members the IRT understand it and are able to implement it. Beyond the IRT, all members of your staffare your front line against a data security incident and should understand the importance of the IRP and full cooperation with the IRT in identifying and rectifying a data incident. Ongoing cyber-securitytraining for staffand annual or semi-annual tabletop exercises for issue identificationand rectificationby the IRT are critical tothe effectiveimplementationof the IRP and reducing liability.
Can the IRP Stand on Its Own? Privacy-by-designis no longer a buzzword. • PrivacyPolicy; • Terms of Use; • Mobile Device Policy; • AcceptableUse and Social Media Policy; • PasswordPolicy; • Physical Security Policy; • Security InfrastructurePolicy; • Data Protection Policy; and, • Disaster Recovery/BusinessContinuity Plan.
Contact Us PeterDillon, Headof Technology andCybersecurity Group Email: peter.dillon@siskinds.com Phone: 519-660-7818 Drew Johnson Technology andCybersecurity Group Email: andrew.Johnson@siskinds.com Phone: 519-660-7848 Stacey Bothwell Business, Technology andCybersecurity Group Email: stacey.bothwell@siskinds.com Phone: 519-660-7792

Recommended

Data Security - English
Data Security - EnglishData Security - English
Data Security - English
Data Security
 
Confidentiality
ConfidentialityConfidentiality
Confidentiality
Jasleen Khalsa
 
Information Privacy
Information PrivacyInformation Privacy
Information Privacy
imehreenx
 
Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...
Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...
Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...
Gohsuke Takama
 
Siskinds | Incident Response Plan
Siskinds | Incident Response PlanSiskinds | Incident Response Plan
Siskinds | Incident Response Plan
Next Dimension Inc.
 
Data Protection Presentation
Data Protection PresentationData Protection Presentation
Data Protection Presentation
IBM Business Insight
 
Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)
KP Naidu
 
Data protection and privacy
Data protection and privacyData protection and privacy
Data protection and privacy
himanshu jain
 

Recommended

Data Security - English
Data Security - EnglishData Security - English
Data Security - English
Data Security
 
Confidentiality
ConfidentialityConfidentiality
Confidentiality
Jasleen Khalsa
 
Information Privacy
Information PrivacyInformation Privacy
Information Privacy
imehreenx
 
Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...
Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...
Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...
Gohsuke Takama
 
Siskinds | Incident Response Plan
Siskinds | Incident Response PlanSiskinds | Incident Response Plan
Siskinds | Incident Response Plan
Next Dimension Inc.
 
Data Protection Presentation
Data Protection PresentationData Protection Presentation
Data Protection Presentation
IBM Business Insight
 
Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)
KP Naidu
 
Data protection and privacy
Data protection and privacyData protection and privacy
Data protection and privacy
himanshu jain
 
A Case For Information Protection Programs
A Case For Information Protection ProgramsA Case For Information Protection Programs
A Case For Information Protection ProgramsMichael Annis
 
Information Privacy
Information PrivacyInformation Privacy
Information Privacy
primeteacher32
 
Next Dimension: How to create a Cybersecurity Strategy
Next Dimension: How to create a Cybersecurity StrategyNext Dimension: How to create a Cybersecurity Strategy
Next Dimension: How to create a Cybersecurity Strategy
Next Dimension Inc.
 
Advisory April Showers 02.19.2009
Advisory April Showers 02.19.2009Advisory April Showers 02.19.2009
Advisory April Showers 02.19.2009Davis Wright Tremaine LLP
 
2015 09-22 Is it time for a Security and Compliance Assessment?
2015 09-22 Is it time for a Security and Compliance Assessment?2015 09-22 Is it time for a Security and Compliance Assessment?
2015 09-22 Is it time for a Security and Compliance Assessment?
Raffa Learning Community
 
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security ProsPrivacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Nicholas Van Exan
 
Security v. Privacy: the great debate
Security v. Privacy: the great debateSecurity v. Privacy: the great debate
Security v. Privacy: the great debate
David Strom
 
Data protection act
Data protection act Data protection act
Data protection act Iqbal Bocus
 
Introduction to Data Protection and Information Security
Introduction to Data Protection and Information SecurityIntroduction to Data Protection and Information Security
Introduction to Data Protection and Information Security
Jisc Scotland
 
What is Information Security and why you should care ...
What is Information Security and why you should care ...What is Information Security and why you should care ...
What is Information Security and why you should care ...
James Mulhern
 
Training privacy by design
Training privacy by designTraining privacy by design
Training privacy by design
Tommy Vandepitte
 
Privacy and personal information
Privacy and personal informationPrivacy and personal information
Privacy and personal information
Uc Man
 
Data privacy & social media
Data privacy & social mediaData privacy & social media
Data privacy & social media
Prof. Jacques Folon (Ph.D)
 
Privacy by Design: White Papaer
Privacy by Design: White PapaerPrivacy by Design: White Papaer
Privacy by Design: White Papaer
Kristyn Greenwood
 
IT Policy
IT PolicyIT Policy
IT Policy
Sherri Booher
 
Security and Safe Keeping of Official Information by DPO
Security and Safe Keeping of Official Information by DPOSecurity and Safe Keeping of Official Information by DPO
Security and Safe Keeping of Official Information by DPO
Atlantic Training, LLC.
 
The importance of information security nowadays
The importance of information security nowadaysThe importance of information security nowadays
The importance of information security nowadays
PECB
 
How your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyHow your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacy
TechSoup Canada
 
Handling information Standard by Skills for Care
Handling information Standard by Skills for CareHandling information Standard by Skills for Care
Handling information Standard by Skills for Care
Atlantic Training, LLC.
 
2018 01-25 Introduction to PCI and HIPAA Compliance
2018 01-25 Introduction to PCI and HIPAA Compliance 2018 01-25 Introduction to PCI and HIPAA Compliance
2018 01-25 Introduction to PCI and HIPAA Compliance
Raffa Learning Community
 
Cybersecurity Seminar March 2015
Cybersecurity Seminar March 2015Cybersecurity Seminar March 2015
Cybersecurity Seminar March 2015
Lawley Insurance
 
DAMA Webinar: The Data Governance of Personal (PII) Data
DAMA Webinar: The Data Governance of Personal (PII) DataDAMA Webinar: The Data Governance of Personal (PII) Data
DAMA Webinar: The Data Governance of Personal (PII) Data
DATAVERSITY
 

More Related Content

What's hot

A Case For Information Protection Programs
A Case For Information Protection ProgramsA Case For Information Protection Programs
A Case For Information Protection ProgramsMichael Annis
 
Information Privacy
Information PrivacyInformation Privacy
Information Privacy
primeteacher32
 
Next Dimension: How to create a Cybersecurity Strategy
Next Dimension: How to create a Cybersecurity StrategyNext Dimension: How to create a Cybersecurity Strategy
Next Dimension: How to create a Cybersecurity Strategy
Next Dimension Inc.
 
2015 09-22 Is it time for a Security and Compliance Assessment?
2015 09-22 Is it time for a Security and Compliance Assessment?2015 09-22 Is it time for a Security and Compliance Assessment?
2015 09-22 Is it time for a Security and Compliance Assessment?
Raffa Learning Community
 
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security ProsPrivacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Nicholas Van Exan
 
Security v. Privacy: the great debate
Security v. Privacy: the great debateSecurity v. Privacy: the great debate
Security v. Privacy: the great debate
David Strom
 
Data protection act
Data protection act Data protection act
Data protection act Iqbal Bocus
 
Introduction to Data Protection and Information Security
Introduction to Data Protection and Information SecurityIntroduction to Data Protection and Information Security
Introduction to Data Protection and Information Security
Jisc Scotland
 
What is Information Security and why you should care ...
What is Information Security and why you should care ...What is Information Security and why you should care ...
What is Information Security and why you should care ...
James Mulhern
 
Training privacy by design
Training privacy by designTraining privacy by design
Training privacy by design
Tommy Vandepitte
 
Privacy and personal information
Privacy and personal informationPrivacy and personal information
Privacy and personal information
Uc Man
 
Data privacy & social media
Data privacy & social mediaData privacy & social media
Data privacy & social media
Prof. Jacques Folon (Ph.D)
 
Privacy by Design: White Papaer
Privacy by Design: White PapaerPrivacy by Design: White Papaer
Privacy by Design: White Papaer
Kristyn Greenwood
 
IT Policy
IT PolicyIT Policy
IT Policy
Sherri Booher
 
Security and Safe Keeping of Official Information by DPO
Security and Safe Keeping of Official Information by DPOSecurity and Safe Keeping of Official Information by DPO
Security and Safe Keeping of Official Information by DPO
Atlantic Training, LLC.
 
The importance of information security nowadays
The importance of information security nowadaysThe importance of information security nowadays
The importance of information security nowadays
PECB
 
How your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyHow your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacy
TechSoup Canada
 
Handling information Standard by Skills for Care
Handling information Standard by Skills for CareHandling information Standard by Skills for Care
Handling information Standard by Skills for Care
Atlantic Training, LLC.
 
2018 01-25 Introduction to PCI and HIPAA Compliance
2018 01-25 Introduction to PCI and HIPAA Compliance 2018 01-25 Introduction to PCI and HIPAA Compliance
2018 01-25 Introduction to PCI and HIPAA Compliance
Raffa Learning Community
 

What's hot (20)

A Case For Information Protection Programs
A Case For Information Protection ProgramsA Case For Information Protection Programs
A Case For Information Protection Programs
 
Information Privacy
Information PrivacyInformation Privacy
Information Privacy
 
Next Dimension: How to create a Cybersecurity Strategy
Next Dimension: How to create a Cybersecurity StrategyNext Dimension: How to create a Cybersecurity Strategy
Next Dimension: How to create a Cybersecurity Strategy
 
Advisory April Showers 02.19.2009
Advisory April Showers 02.19.2009Advisory April Showers 02.19.2009
Advisory April Showers 02.19.2009
 
2015 09-22 Is it time for a Security and Compliance Assessment?
2015 09-22 Is it time for a Security and Compliance Assessment?2015 09-22 Is it time for a Security and Compliance Assessment?
2015 09-22 Is it time for a Security and Compliance Assessment?
 
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security ProsPrivacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
 
Security v. Privacy: the great debate
Security v. Privacy: the great debateSecurity v. Privacy: the great debate
Security v. Privacy: the great debate
 
Data protection act
Data protection act Data protection act
Data protection act
 
Introduction to Data Protection and Information Security
Introduction to Data Protection and Information SecurityIntroduction to Data Protection and Information Security
Introduction to Data Protection and Information Security
 
What is Information Security and why you should care ...
What is Information Security and why you should care ...What is Information Security and why you should care ...
What is Information Security and why you should care ...
 
Training privacy by design
Training privacy by designTraining privacy by design
Training privacy by design
 
Privacy and personal information
Privacy and personal informationPrivacy and personal information
Privacy and personal information
 
Data privacy & social media
Data privacy & social mediaData privacy & social media
Data privacy & social media
 
Privacy by Design: White Papaer
Privacy by Design: White PapaerPrivacy by Design: White Papaer
Privacy by Design: White Papaer
 
IT Policy
IT PolicyIT Policy
IT Policy
 
Security and Safe Keeping of Official Information by DPO
Security and Safe Keeping of Official Information by DPOSecurity and Safe Keeping of Official Information by DPO
Security and Safe Keeping of Official Information by DPO
 
The importance of information security nowadays
The importance of information security nowadaysThe importance of information security nowadays
The importance of information security nowadays
 
How your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyHow your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacy
 
Handling information Standard by Skills for Care
Handling information Standard by Skills for CareHandling information Standard by Skills for Care
Handling information Standard by Skills for Care
 
2018 01-25 Introduction to PCI and HIPAA Compliance
2018 01-25 Introduction to PCI and HIPAA Compliance 2018 01-25 Introduction to PCI and HIPAA Compliance
2018 01-25 Introduction to PCI and HIPAA Compliance
 

Similar to Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018

Cybersecurity Seminar March 2015
Cybersecurity Seminar March 2015Cybersecurity Seminar March 2015
Cybersecurity Seminar March 2015
Lawley Insurance
 
DAMA Webinar: The Data Governance of Personal (PII) Data
DAMA Webinar: The Data Governance of Personal (PII) DataDAMA Webinar: The Data Governance of Personal (PII) Data
DAMA Webinar: The Data Governance of Personal (PII) Data
DATAVERSITY
 
How to Build and Implement your Company's Information Security Program
How to Build and Implement your Company's Information Security ProgramHow to Build and Implement your Company's Information Security Program
How to Build and Implement your Company's Information Security Program
Financial Poise
 
Training innovations information governance slideshare 2015
Training innovations information governance slideshare 2015Training innovations information governance slideshare 2015
Training innovations information governance slideshare 2015
Patrick Doyle
 
A Brave New World of Cyber Security and Data Breach
A Brave New World of Cyber Security and Data BreachA Brave New World of Cyber Security and Data Breach
A Brave New World of Cyber Security and Data Breach
Jim Brashear
 
005. Ethics, Privacy and Security
005. Ethics, Privacy and Security005. Ethics, Privacy and Security
005. Ethics, Privacy and Security
Arianto Muditomo
 
Protecting Client Data 11.09.11
Protecting Client Data 11.09.11Protecting Client Data 11.09.11
Protecting Client Data 11.09.11
pdewitte
 
Multi-faceted Cyber Security v1
Multi-faceted Cyber Security v1Multi-faceted Cyber Security v1
Multi-faceted Cyber Security v1Asad Zaman
 
Internet security and privacy issues
Internet security and privacy issuesInternet security and privacy issues
Internet security and privacy issues
JagdeepSingh394
 
Ethics in Data Management.pptx
Ethics in Data Management.pptxEthics in Data Management.pptx
Ethics in Data Management.pptx
Ravindra Babu
 
CCPA for CISOs: What You Need to Know
CCPA for CISOs: What You Need to KnowCCPA for CISOs: What You Need to Know
CCPA for CISOs: What You Need to Know
TrustArc
 
Sensitive data
Sensitive dataSensitive data
Sensitive data
S.M. Towhidul Islam
 
GDPR: Your Journey to Compliance
GDPR: Your Journey to ComplianceGDPR: Your Journey to Compliance
GDPR: Your Journey to Compliance
Cobweb
 
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
Financial Poise
 
Personal Information Protection and Electronic Documents Act (PIPEDA) and Imp...
Personal Information Protection and Electronic Documents Act (PIPEDA) and Imp...Personal Information Protection and Electronic Documents Act (PIPEDA) and Imp...
Personal Information Protection and Electronic Documents Act (PIPEDA) and Imp...
Michael Sukachev
 
Deconstructing Data Breach Cost
Deconstructing Data Breach CostDeconstructing Data Breach Cost
Deconstructing Data Breach Cost
Resilient Systems
 
Co3 rsc r5
Co3 rsc r5Co3 rsc r5
Co3 rsc r5
Patrick Florer
 
Gdpr for business full
Gdpr for business fullGdpr for business full
Gdpr for business full
Fionnuala Hendrick
 
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127Frank Dawson
 

Similar to Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018 (20)

Cybersecurity Seminar March 2015
Cybersecurity Seminar March 2015Cybersecurity Seminar March 2015
Cybersecurity Seminar March 2015
 
DAMA Webinar: The Data Governance of Personal (PII) Data
DAMA Webinar: The Data Governance of Personal (PII) DataDAMA Webinar: The Data Governance of Personal (PII) Data
DAMA Webinar: The Data Governance of Personal (PII) Data
 
How to Build and Implement your Company's Information Security Program
How to Build and Implement your Company's Information Security ProgramHow to Build and Implement your Company's Information Security Program
How to Build and Implement your Company's Information Security Program
 
Training innovations information governance slideshare 2015
Training innovations information governance slideshare 2015Training innovations information governance slideshare 2015
Training innovations information governance slideshare 2015
 
A Brave New World of Cyber Security and Data Breach
A Brave New World of Cyber Security and Data BreachA Brave New World of Cyber Security and Data Breach
A Brave New World of Cyber Security and Data Breach
 
005. Ethics, Privacy and Security
005. Ethics, Privacy and Security005. Ethics, Privacy and Security
005. Ethics, Privacy and Security
 
Ss
SsSs
Ss
 
Protecting Client Data 11.09.11
Protecting Client Data 11.09.11Protecting Client Data 11.09.11
Protecting Client Data 11.09.11
 
Multi-faceted Cyber Security v1
Multi-faceted Cyber Security v1Multi-faceted Cyber Security v1
Multi-faceted Cyber Security v1
 
Internet security and privacy issues
Internet security and privacy issuesInternet security and privacy issues
Internet security and privacy issues
 
Ethics in Data Management.pptx
Ethics in Data Management.pptxEthics in Data Management.pptx
Ethics in Data Management.pptx
 
CCPA for CISOs: What You Need to Know
CCPA for CISOs: What You Need to KnowCCPA for CISOs: What You Need to Know
CCPA for CISOs: What You Need to Know
 
Sensitive data
Sensitive dataSensitive data
Sensitive data
 
GDPR: Your Journey to Compliance
GDPR: Your Journey to ComplianceGDPR: Your Journey to Compliance
GDPR: Your Journey to Compliance
 
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
 
Personal Information Protection and Electronic Documents Act (PIPEDA) and Imp...
Personal Information Protection and Electronic Documents Act (PIPEDA) and Imp...Personal Information Protection and Electronic Documents Act (PIPEDA) and Imp...
Personal Information Protection and Electronic Documents Act (PIPEDA) and Imp...
 
Deconstructing Data Breach Cost
Deconstructing Data Breach CostDeconstructing Data Breach Cost
Deconstructing Data Breach Cost
 
Co3 rsc r5
Co3 rsc r5Co3 rsc r5
Co3 rsc r5
 
Gdpr for business full
Gdpr for business fullGdpr for business full
Gdpr for business full
 
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
 

More from Next Dimension Inc.

Veeam: Cybersecurity protection solutions through Backup and Availability
Veeam: Cybersecurity protection solutions through Backup and AvailabilityVeeam: Cybersecurity protection solutions through Backup and Availability
Veeam: Cybersecurity protection solutions through Backup and Availability
Next Dimension Inc.
 
Cybersecurity and the Law: Fasken Law Firm
Cybersecurity and the Law: Fasken Law FirmCybersecurity and the Law: Fasken Law Firm
Cybersecurity and the Law: Fasken Law Firm
Next Dimension Inc.
 
Cybersecurity: Protection strategies from Cisco and Next Dimension
Cybersecurity: Protection strategies from Cisco and Next DimensionCybersecurity: Protection strategies from Cisco and Next Dimension
Cybersecurity: Protection strategies from Cisco and Next Dimension
Next Dimension Inc.
 
Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?
Next Dimension Inc.
 
Next Dimension and Veeam | Solutions for PIPEDA Compliance
Next Dimension and Veeam | Solutions for PIPEDA ComplianceNext Dimension and Veeam | Solutions for PIPEDA Compliance
Next Dimension and Veeam | Solutions for PIPEDA Compliance
Next Dimension Inc.
 
Next Dimension and Cisco | Solutions for PIPEDA Compliance
Next Dimension and Cisco | Solutions for PIPEDA ComplianceNext Dimension and Cisco | Solutions for PIPEDA Compliance
Next Dimension and Cisco | Solutions for PIPEDA Compliance
Next Dimension Inc.
 
Next Dimension IIoT Presentation
Next Dimension IIoT PresentationNext Dimension IIoT Presentation
Next Dimension IIoT Presentation
Next Dimension Inc.
 
Next Dimension + Cisco Smart Manufacturing
Next Dimension + Cisco Smart ManufacturingNext Dimension + Cisco Smart Manufacturing
Next Dimension + Cisco Smart Manufacturing
Next Dimension Inc.
 

More from Next Dimension Inc. (8)

Veeam: Cybersecurity protection solutions through Backup and Availability
Veeam: Cybersecurity protection solutions through Backup and AvailabilityVeeam: Cybersecurity protection solutions through Backup and Availability
Veeam: Cybersecurity protection solutions through Backup and Availability
 
Cybersecurity and the Law: Fasken Law Firm
Cybersecurity and the Law: Fasken Law FirmCybersecurity and the Law: Fasken Law Firm
Cybersecurity and the Law: Fasken Law Firm
 
Cybersecurity: Protection strategies from Cisco and Next Dimension
Cybersecurity: Protection strategies from Cisco and Next DimensionCybersecurity: Protection strategies from Cisco and Next Dimension
Cybersecurity: Protection strategies from Cisco and Next Dimension
 
Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?
 
Next Dimension and Veeam | Solutions for PIPEDA Compliance
Next Dimension and Veeam | Solutions for PIPEDA ComplianceNext Dimension and Veeam | Solutions for PIPEDA Compliance
Next Dimension and Veeam | Solutions for PIPEDA Compliance
 
Next Dimension and Cisco | Solutions for PIPEDA Compliance
Next Dimension and Cisco | Solutions for PIPEDA ComplianceNext Dimension and Cisco | Solutions for PIPEDA Compliance
Next Dimension and Cisco | Solutions for PIPEDA Compliance
 
Next Dimension IIoT Presentation
Next Dimension IIoT PresentationNext Dimension IIoT Presentation
Next Dimension IIoT Presentation
 
Next Dimension + Cisco Smart Manufacturing
Next Dimension + Cisco Smart ManufacturingNext Dimension + Cisco Smart Manufacturing
Next Dimension + Cisco Smart Manufacturing
 

Recently uploaded

Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
RinaMondal9
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
James Anderson
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 

Recently uploaded (20)

Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 

Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018

  • 1. Next Dimension PIPEDA Legislation WHAT YOU NEED TO KNOW | WHAT YOU NEED TO DO This presentation does not constitute legal advice, norshould it be construed as such. The opinions expressed herein are solelymine, and theydo not necessarilyrepresent the views of Siskinds LLP, its partners,associates or affiliates.
  • 2. Bio Drew is anassociate inSiskinds’Technology,Privacy andFranchise Group. His practice focuses on providing legal services to businesses involvedin the manufacture anddistributionof goods and services via franchising,multi-level marketing, andtechnology transfer,development,distributionand licensing. He advises clients onmatters relatingto cybersecurity,data protection,privacy andanti- spam, including PIPEDA,Privacy Shield and GDPR compliance. Practice Areas Data protection| Cybersecurity | Privacy Drew Johnson, Technology and Cyber Security Group
  • 3. What is PIPEDA? The Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal privacy law for private-sector organizations. It sets out the ground rules for how businesses must handle personal information in the course of their commercial activities.
  • 4. What does PIPEDA apply to? PIPEDA applies to the collection, use or disclosure of personal information in the course of a commercial activity.
  • 5. What does PIPEDA not apply to? Organizations that do not engage in commercial, for-profit activities.
  • 6. Geographic Scope Unless the personal information crosses provincial or national borders, PIPEDA does not apply to organizations that operate entirely within: • Alberta • British Columbia • Quebec
  • 7. What is personal information? Personal information is data about an “identifiable individual”. It is information that on its own or combined with other pieces of data, can identify you as an individual.
  • 8. What Does Personal Information Include? • Age • Credit card numbers • Race, national or ethnic origin • DNA • Social Insurance number or driver’s license • Opinions, comments or view about you as an employee
  • 9. What is generally not considered personal information? • Information that is not about an individual because the connection to a person is too weak or far removed (a postal code). • Information about a business or organization. • A person’s business contact information. • Name, title, and place of business.
  • 10. 10 Principles of PIPEDA The 10 fair information principlesthat businessesmustfollow: Accountability IdentifyingPurposes Consent Limiting Collection Limiting Use, Disclosureand Retention Accuracy Safeguards Openness IndividualAccess ProvideRecourse
  • 11. 1. Accountability • Appointment of individual as Chief Privacy Officer. • Establishment of a “privacy team”. • Development of policies and procedures for the collection and protection of personal information. • Communication to customers/clients of the “go to” person for privacy matters.
  • 12. 2. Identifying Purposes • Purpose must be clearly identified. • Collection must be confined to what is necessary to complete the purpose. • Inform of purpose at the time personal information is collected. • Purposes must be communicated such that individuals will clearly understand all of the uses to which the information may be put.
  • 13. 3. Consent • Must be obtained from customers/clients to the collection and use of their personal information. • Express v. Implied Consent. • Sensitivity of information – if the personal information is sensitive in nature then express consent should be obtained.
  • 14. 4. Limiting Collection • Only that information that is reasonably necessary to fulfill the stated purpose may be collected. • Need to consider carefully whether information that is being collected is really required for the purposes .
  • 15. 5. Limiting Use, Disclosure and Retention • Once collected, the information may only be used for the purposes stated. • If purposes change, new consent is required. • If information will be disclosed to third parties, consent must be obtained. • Personal information should only be retained for so long as is reasonably necessary to satisfy the purposes for which it was collected. • When purposes are complete, information should be disposed of.
  • 16. 6. Accuracy • Obligation to keep personal information up to date, complete and accurate. • Make corrections as necessary.
  • 17. 7. Safeguards • Develop and implement a security policy to protect personal information. • Consider where and how personal information is stored and who has access. • Must be protected against loss, theft and unauthorized access. • Only those employees who need to make use of personal information should have access. Note: PIPEDA does not specify particular security safeguards that must be used. Rather, the onus is on organizations to ensure that personal information is adequately protected
  • 18. More on Safeguarding…. • Use appropriate security safeguards to provide necessary protection. • Degree of security to be exercised will depend on a number of factors. • Factors to Consider: • sensitivity • amount • extent of distribution • format • type of storage
  • 19. 8. Openness • Employees need to be aware of the policies and the procedures regarding privacy matters. • Customers/clients need to be informed of the existence of privacy policies and what the practices are. • Communication of rights and responsibilities. • Responsiveness to customers’ privacy related requests.
  • 20. 9. Individual Access • Individuals are entitled to review their personal information on request. • Corrections may be requested and should be made if appropriate. • Response within 30 days of request.
  • 21. 10. Challenge Compliance/Provide Recourse • Development of complaint procedures. • Should be straight forward and easily accessible. • Responsiveness to complaints. • Investigation. • Corrective measures. • Satisfaction of individual complainant.
  • 22. Most Common Complaints • Improper collection, use and/or disclosure of personal information. • Difficulty obtaining access to personal information. • Refusal to correct personal information. • Inadequate safeguards.
  • 23. Your Responsibility as a Business • Comply with all 10 of the Principles. • Protect personal information against loss or theft. • Protect personal information regardless of the format in which it is held. • Safeguard the information from unauthorized access, disclosure, copying, use or modification.
  • 25. A breach of security safeguards is defined in PIPEDA as: • the loss of, • unauthorized access to or • unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards, or from a failure to establish those safeguards.
  • 26. Duty to report to OPC - RROSH PIPEDA requires you to report to the Office of the Privacy Commissioner any breach of security safeguards involving personal information under your control if it is reasonable in the circumstances to believe that the breach of security safeguards creates a real risk of significant harm to an individual.
  • 27. Significant Harm Significant harm includes: • bodily harm, • humiliation, • damage to reputation or relationships, • loss of employment, • business or professional opportunities, • financial loss, • identity theft, • negative effects on the credit record and • damage to or loss of property.
  • 28. Relevant Factors - RROSH Factors that are relevant to determining whether a breach of security safeguards creates a real risk of significant harm include: • the sensitivity of the personal information and • the probability the personal information has been/is/will be misused.
  • 29. Sensitivity PIPEDA does not define sensitivity. Although some information (for example, medical records and income records) is almost always considered to be sensitive, any information can be sensitive, depending on the context. • Names and addresses of subscribers to a newsmagazine would generally not be considered sensitive information. • Names and addresses of subscribers to some special-interest magazines might be considered sensitive.
  • 30. Circumstances Following a breach, to determine sensitivity, it is therefore important to examine both what personal information has been breached and the circumstances. • Certain information may on its face be clearly sensitive. Other information may not be. • The circumstancesof the breach may make the information more or less sensitive. The potential harms that could accrue to an individual are also an important factor.
  • 31. Probability of Misuse Several questions you need to consider: • What happenedand how likely is it that someone would be harmed by the breach? • Who actuallyaccessedor could have accessed the personal information? • How long has the personal informationbeen exposed? • Is there evidence of maliciousintent (e.g., theft, hacking)? • Were a number of pieces of personal informationbreached? • Is the breached informationin the hands of an individual/entity that represents a reputationrisk to the individual(s)in and of itself? • Was the informationexposed to limited/knownentities who have committed to destroy and not disclosethe data?
  • 32. Contents of Report to the OPC All prescribed information (see Annex).
  • 33. Timing of Report to the OPC As soon as feasible after determination that the breach has occurred.
  • 34. Notification to Individual You must notify an individual of any breach of security safeguards involving the individual’s personal information under your control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual.
  • 35. Contents of Notification The notification must contain sufficient information to allow the individual to understand the significance to them of the breach and to take steps, if any are possible, to reduce the risk of harm that could result from it or to mitigate that harm
  • 36. Form and Manner of Notice The notification must be conspicuous and shall be given directly to the individual in the prescribed form and manner.
  • 37. Notification to Organizations If you notify an individual of a breach of security safeguards, you must also notify any other organization or government institution of the breach if you believe that the other organization or the government institution may be able to reduce the risk of harm that could result from it or mitigate that harm.
  • 38. Time to Give Notification to Individuals and Organizations The notification must be given as soon as feasible after the organization determines that the breach has occurred.
  • 40. Maintenance of Records You must keep and maintain a record of every breach of security safeguards involving personal information under your control.
  • 41. Access by the OPC You must, on request, provide the Commissioner with access to, or a copy of, a record.
  • 43. It is an offence to: • Fail to comply with breach notification requirements. • Fail to maintain a record of breaches of security safeguards. • Destroy personal information that an individual has requested. • Obstruct a complaint investigation or audit by the Commissioner or their delegate.
  • 44. Incident Response Plans The Keystone of Data Breach Response
  • 45. What is an Incident Response Plan? The IRP is the keystone internal policy necessary to help an organization detect and react to computer security incidents, determine their scope and risk, respond appropriately to the incident, communicate the results and risk to all stakeholders, and reduce the likelihood of the incident from reoccurring.
  • 46. Why Does an Organization Need an IRP? An IRP is necessary policy to respond to a data incident in a timely manner, reducing reputational damage and potential liability. • The number of publicly disclosed data breaches rose by almost 50% in 2017 over 2016.* • 61 percent of breach victims in 2017 were businesses with under 1,000 employees.* • By responding quickly to and containing a data breach, companies average a savings of over $1 million.* Source: 1. IdentityTheftResource Centre 2017 Annual Data Breach Year-End Review 2. 2017 VerizonData Breach InvestigationsReport 3. 2018 Cost of a Data Breach Studyby Ponemon
  • 47. What is Included in an IRP? • A list of the members of the Incident Response Team (IRT); • Roles and responsibilities for the members of the IRT; • A list of critical network and data recovery processes; • A list of the tools, technologies, and resources available to assist the response; and, • A business continuity plan.
  • 48. Legal Counsel and the IRP An organization’s ability to keep cybersecurity efforts privileged is stronger where the organization has taken each of these steps: • Follow counsel’s directions for action; • Set clear rules regarding communication; and • Hire and manage outside vendors through counsel.
  • 49. Disclosure of Data Incidents Important role of legal counsel is to provide an organization with advice on disclosure obligations and in drafting appropriate communications. Following a data security incident, there are various disclosure and reporting obligations imposed on organizations.
  • 50. How Often Should IRP Training Occur? An IRP is useless unless all of the members the IRT understand it and are able to implement it. Beyond the IRT, all members of your staffare your front line against a data security incident and should understand the importance of the IRP and full cooperation with the IRT in identifying and rectifying a data incident. Ongoing cyber-securitytraining for staffand annual or semi-annual tabletop exercises for issue identificationand rectificationby the IRT are critical tothe effectiveimplementationof the IRP and reducing liability.
  • 51. Can the IRP Stand on Its Own? Privacy-by-designis no longer a buzzword. • PrivacyPolicy; • Terms of Use; • Mobile Device Policy; • AcceptableUse and Social Media Policy; • PasswordPolicy; • Physical Security Policy; • Security InfrastructurePolicy; • Data Protection Policy; and, • Disaster Recovery/BusinessContinuity Plan.
  • 52. Contact Us PeterDillon, Headof Technology andCybersecurity Group Email: peter.dillon@siskinds.com Phone: 519-660-7818 Drew Johnson Technology andCybersecurity Group Email: andrew.Johnson@siskinds.com Phone: 519-660-7848 Stacey Bothwell Business, Technology andCybersecurity Group Email: stacey.bothwell@siskinds.com Phone: 519-660-7792