In order to comply with the CPPA businesses must take the steps to make information available to the public. This publicly available information should be provided in “plain language” and include elements such as types of personal information under its control, how it is used, retained and whether any interprovincial/international data transfers occur.
- Ensure clear and plain language is used.
- Update the website in a way that the information is easily accessible.
2. Privacy Management Program
One of the most significant changes in the CPPA is the requirement for a business to implement and maintain a privacy management program. This program will include policies, practices and procedures that are put in place to comply with statutory requirements. This will include the security of personal information, employee training procedures and processing of complaints and requests made by individuals.
- If a current Privacy Management Program is in place, consider reviewing it to ensure that its current form will support all proposed CPPA requirements.
- If there is no Privacy Management Program in place, develop and implement one that will support the proposed CPPA requirements.
3. Security Safeguards
PIPEDA currently requires the use of suitable technological, physical and organizational safeguards to safeguard personal information. The CPPA contains a new requirement wherein businesses must have a procedure to authenticate an individual who provides personal information. The ACT as proposed does not offer further guidance on this matter.
PIPEDAs requirement on reporting breaches to the Ontario Privacy Commissioner and notifying individuals of such breach remain unchanged. A noted new addition to the CPPA requires service providers to notify controlling businesses of any breach of security safeguards affecting personal information administered on behalf of the controlling business.
- Review existing security measures and consider the sensitivity of personal information. Also, look at elements such as storage methods and quantity.
- Review the existing response plan to ensure it aligns with the proposed CPPA.
- Consider how authenticating individuals takes place and that you have the required means as stated in the proposed CPPA.
4. Retention Periods
The CCPA clearly defines retention periods. Businesses can only retain personal information for as long as it is needed to fulfil the purposes for which it was collected or comply with certain statutory requirements. If it is found that information retention does not meet standards, a business will be responsible to justify why information is retained for a proposed period of time.
- Review current retention periods for different classifications of personal information obtained and processed. Take into consideration the delicate nature of the information.
- Review and revise retention procedures if so required.
Contact Quality Credit Reporting if you have any questions about the changes to the CPPA or how to prepare.