PIPEDA – Legislation for Cyber Security in Canada
Like most other countries, Canada has a legal framework to protect the private information about its citizens. While the Cyber Security Policy of Canada
recognizes the importance of cyber security, the legal framework ensures that there is no intrusion on the privacy of citizens.
While private companies and organizations have their own policies regarding privacy of cyber data, the Govt. of Canada has formulated a statutory framework called Personal Information Protection and Electronic Documents Act (PIPEDA) which is a Federal legislation that applies to protection of personal information that various government bodies collect. In addition, it also protects personal information in the course of commercial activities in all jurisdictions that do not have such legislation. PIPEDA is an ongoing effort; the policies within the Act are constantly reviewed and revised as per needs.
PIPEDA is consent-based, requiring an individual’s knowledge and consent for an organization
to disseminate their personal information. This model has proven to be flexible in adapting to rapidly evolving cyber technologies and there are many organizations that actively contribute in making this Act relevant at all times.
PIPEDA was carefully drafted to be technology neutral, and stands the test of time, allowing organizations to evolve their privacy practices to reflect changing business models, technologies and customer expectations. Although it is consent-based, PIPEDA also offers practical exemptions to consent where it is not practical or necessary, including exemptions for publically available information – with the understanding with the understanding that all other PIPEDA privacy obligations and safeguards would continue to apply.
Here are the salient points of PIPEDA to protect personal cyber data:
- All the personal data a company / organization collects must be maintained securely. It should be protected from personal loss, unauthorized access and data theft
- The onus to protect personal data anl data lies with the company / organization in possession of this data. They must designate an individual / group that is accountable for compliance of this statuette
- Security safeguards must protect personal information, regardless of the format in which it is held
- Data secrecy must be maintained as per data sensitivity. The more sensitive the data, higher must be the protection
- Personal data must be protected by physical measures, organization measures and technological measures
In addition to PIPEDA, a few of the provinces in Canada have their own legislation in place for security of personal data. These include Alberta, British Columbia and Quebec. A few examples of such statutory legislation include Canada's Anti Spam Law, Canada's Criminal Code, etc.
Cyber Security Measures
With the govt. of Canada treating data security breaches seriously, it is necessary for companies and organizations to comply with the law. Apart from the government penalties, a company can also be sued by individuals for misusing personal data. Unfortunately, most companies do not have in-house expertise to comply with the regulatory requirements; even they are willing to protect the integrity of cyber data. Hackers and other miscreants who are on the prowl can break weak security and capture the data, resulting in expensive lawsuits. It is therefore necessary for organizations to engage companies that specialize in providing cyber security. Luckily, from Ontario to Toronto, and across Canada, there are good companies that provide IT security services.
To achieve a high degree of cyber security, it is necessary to adopt a multi-disciplinary approach, with input from a variety of cyber experts. It is therefore desirable to hire good cyber security providers that are experienced and possess the necessary skill security audits. Only then will the risk of breach in cyber security will be mitigated, and compliance to PIPEDA and other legal requirements adhered to.