In order to comply with the CPPA businesses must take the steps to make information available to the public. This publicly available information should be provided in “plain language” and include elements such as types of personal information under its control, how it is used, retained and whether any interprovincial/international data transfers occur.
To Do:
One of the most significant changes in the CPPA is the requirement for a business to implement and maintain a privacy management program. This program will include policies, practices and procedures that are put in place to comply with statutory requirements. This will include the security of personal information, employee training procedures and processing of complaints and requests made by individuals.
To Do:
PIPEDA currently requires the use of suitable technological, physical and organizational safeguards to safeguard personal information. The CPPA contains a new requirement wherein businesses must have a procedure to authenticate an individual who provides personal information. The ACT as proposed does not offer further guidance on this matter.
PIPEDAs requirement on reporting breaches to the Ontario Privacy Commissioner and notifying individuals of such breach remain unchanged. A noted new addition to the CPPA requires service providers to notify controlling businesses of any breach of security safeguards affecting personal information administered on behalf of the controlling business.
To Do:
The CCPA clearly defines retention periods. Businesses can only retain personal information for as long as it is needed to fulfil the purposes for which it was collected or comply with certain statutory requirements. If it is found that information retention does not meet standards, a business will be responsible to justify why information is retained for a proposed period of time.
To Do:
Contact Quality Credit Reporting if you have any questions about the changes to the CPPA or how to prepare.