The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian law that regulates how Canada’s private sector uses and discloses personal information as part of commercial activity. PIPEDA was created in April 2000, but the law did not become fully enacted until the 1st of January 2004.
Much like the more recent General Data Protection Regulation (GDPR) from the European Union (EU), Canada’s PIPEDA represents a new focus on the protection of personal information in the digital. Worldwide, many have become increasingly concerned with ensuring that their personal data is ethically handled and properly secured. Just as GDPR fundamentally focuses on protecting European citizens’ data, PIPEDA is centered on safeguarding the private personal information of Canadians.
Ten PIPEDA Principles
PIPEDA is a broad law, encompassing ten “fair information” privacy principles; these are considered the ground rules of the legislation. The purpose of these principles is to give each individual control over what happens with their information.
- Accountability – this principle defines that the organization is responsible for all the personal information under their control
- Identifying Purposes – the organization must declare why personal information is needed prior to its collection
- Consent – any personal information collected must be done so with the individual’s meaningful consent
- Limit Collection – only data that is needed must be collected, and it must be fair and lawful at all times
- Limit use, disclose and retention – this principle enforces that the data can only be used for the original intended purpose, and once the data has been used it must be securely destroyed
- Accuracy – any collected data MUST be accurate, complete, and as up-to-date as possible
- Safeguards – any data collected must be protected with adequate security to uphold data integrity
- Openness – the organization collecting data must publish the policies and processes undertaken during data collection
- Individual Access – any individual has the right to, upon request, view the data held on record and challenge its accuracy
- Challenging Compliance – An individual is allowed to challenge an organization’s adherence to any of these principles
All of these principles apply when it comes to PIPEDA-compliant hosting infrastructure; however, the primary point of focus is the PIPEDA safeguards, because the hosting provider has direct control over these elements
PIPEDA Hosting Safeguards
PIPEDA’s hosting safeguards principle does not directly specify what particular security safeguards must be implemented on the hosting infrastructure; instead, the responsibility is placed on the hosting provider to “ensure it adequately protects the personal information in its care as technologies evolve and as new risks emerge.”
What this means is that the principle of safeguards is core to hosting providers because protective tools must be already implemented on the hosting infrastructure. A security policy must be created that encompasses protections to all digital records, preventing unauthorized alteration or use, access, replication, disclosure, loss, or theft.
Methods of protection are categorized in a similar manner to those enumerated in the Security Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). While HIPAA mandates the need for technical, administrative, and physical safeguards, PIPEDA references technical, organizational, and physical requirements of protection.
The technical safeguards focus on several key areas. Encryption is one of the most important safeguards as it protects data in the event it is lost or stolen. Encryption only allows an authorized user or system with a private key to access the data. If you do not have the key, the data is scrambled and impossible to decipher. Ensure you choose a hosting provider that proactively encrypts data at rest.
Managing user activity is another key safeguard; user accounts must be secured with complex, multi-character passwords. Access to data must be controlled using the principle of least privilege, meaning that you only have access to the minimum amount of data required to complete the task at hand. An access control list (ACL) must be maintained, usually in the form of Active Directory security groups. The ACLs will only grant privileged access to the relevant user at specific times or geolocations.
Detailed Logging should be enabled throughout the organization. The logging should enable system administrators to review who has had access to personal information, when, and why. Logs can be fed into a SIEM platform that can intelligently look at user trends of accessing data. Alerts can be raised by unexpected activities, such as data access outside of business hours or by a person affiliated with the individual’s data.
Likewise, Intrusion Protection Systems (IPS) can be implemented at strategic points within the cloud network to work with the firewall by inspecting packets that the firewall has already accepted as legitimate. The IPS resides directly on the network, protecting against local vulnerabilities at a hardware layer
Network Firewalls are also very important. They are designed to intrinsically secure the network infrastructure and isolate and protect in-scope PIPEDA systems. This results in a fully private managed environment. Hardware and Software Firewalls are installed strategically around the perimeter and internal networks. A Web Application Firewall (WAF) should be considered if the organizations rely heavily on Web Servers. A WAF is a policy defined device that protects web applications by monitoring and filtering traffic via Network Edge Protection
A key principle of PIPEDA is to maintain the integrity of personal data that has been collected. One of the easiest ways to achieve this is to have a security defined backup solution in place. If data is inadvertently deleted, the data can be restored in no time.
Organizational safeguards are typically enforced through the administration of an organization’s compliance, including the procedures and processes put in place by management to protect data. Education programs are a fundamental part of this objective. Training helps to create a culture of privacy awareness and can greatly reduce the risk of breaching PIPEDA rules. Training usually focuses on cybersecurity risks and trends, privacy rules, and an understanding of the penalties that could be levied on the organization and the individual in the event of a data breach.
Other in-house best practices to adhere to are a clear screen and clear desk policy. A clear screen states that whenever your staff members leave their desks for an extended time, they should log off their computers and that whenever they leave, even for a moment, they should lock their computers. A clean desk policy mandates that employees empty their desks of anything materials, including removable media, sticky notes, and business cards along with any notes and documentation, whenever they leave it unattended.
All employees must be security vetted if the job involves handling sensitive information. Due diligence requires background checks before letting any staff access personal data systems. Any reports of employee snooping must be investigated fully, and where proactive measures fail, disciplinary actions should be considered.
PIPEDA compliance requires hosting companies to safeguard personal data physically. The public should not be able to view any confidential data, so access to sensitive locations, such as a hosting data center, must be restricted. Choose a hosting provider that takes data center security seriously. A data center should be an inherently secure compound, monitored 24×7, often with onsite security personal and remote surveillance. Inside the data center, the rooms are locked, and access is controlled to authorized personnel using key cards.
Offices, doors, and cabinets should be kept locked. Security cameras and physical access policies are other examples of “reasonable” physical controls.
2018 PIPEDA Update
Since its original enactment, PIPEDA has mandated that every company operating in Canada must have implemented a data protection program. On November 1, 2018, the data security rules within PIPEDA were updated, mandating further due diligence and enhancing the strictness of the rules.
Companies are now required to control and manage all data that is in their systems and to place appropriate access restrictions on systems to reasonably safeguard them. Organizations that handle Canadian citizens’ data, both domestic and foreign, will now need to perform the following new tasks:
- Send out notices to impacted users of any privacy breach that carries with it a “real risk of significant harm to an individual,” such as financial loss
- Report any privacy compromises to Canada’s Office of the Privacy Commissioner
- Maintain records of any privacy breaches
Cloud guidelines from the Office of the Privacy Commissioner were updated on December 14. These guidelines are specific to the cloud; however, they translate well to relationships with any hosting provider. The FAQs state that PIPEDA “does not prohibit cloud computing, even when the cloud provider is in another country.” You can use the cloud then – that is very clear. The parameters beyond that are as follows:
- Make sure you get consent from each person
- Protect any data that you gather
- Make sure you collect personal data for appropriate purposes
- Restrict gathering of personal data to your stated purposes
- Make those purposes available to your users
- Make your privacy practices known to users
PIPEDA Guidelines Specific to Hosting & Third Parties
Similar to the business associates agreement (BAA) requirement for HIPAA compliance within the US healthcare industry, PIPEDA mandates that you must maintain responsibility for all data whenever it is transferred to or handled by a third party.
The rules are not quite as strict as HIPAA’s BAA, which requires a contract. PIPEDA requires that each organization using a third party must check that data protections are properly in place via “contractual or other means.”
Any organization using a cloud provider or hosting service should verify that the system maintains the strictures of PIPEDA compliance – particularly paying attention to the contract language that addresses handling personal data.
Importance of Provider Relationships to Continuing PIPEDA Compliance
When compliance parameters become more rigid, organizations increasingly turn to IT partners with niche expertise in meeting those new and specific regulatory parameters. For that reason, and since cloud computing and other third-party systems have become so common across the industry, it is important for organizations to be concerned that any providers handling their data follow the same guidelines.
If you are looking to meet PIPEDA compliance, a third-party provider can certainly help. However, it is critical to ensure that the host you choose has a record in compliance and specializes in it. At Atlantic.Net, our compliance hosting is certified and audited by third-party independent auditors. We have over 25 years of experience within the industry; get in touch to see how we can help you.