Privacy & Data Management Blog

Introduction to the CPPA

In June 2022, the federal government introduced Bill C-27, which proposes significant updates to Canada’s federal private sector privacy framework. Bill C-27 is currently in its second reading in the House of Commons. If passed, Bill C-27 would replace the Personal Information and Electronic Documents Act with the Consumer Privacy Protection Act (“CPPA”). The CPPA imposes several new obligations on private organizations to be aware of.

One of the main features of the CPPA is the requirement for organizations to have a privacy management program (“PMP”). PMPs are also a feature of new provisions in British Columbia’s Freedom of Information and Protection of Privacy Act.

CPPA on PMPs

The CPPA requires every organization to implement and maintain a PMP. A PMP includes all the policies, practices, and procedures that comprise an organization’s action plan to fulfil its obligations under the CPPA. It may go beyond legislative compliance to help ensure an organization meets its contractual and other privacy and confidentiality commitments.

At the very least, a privacy management program should address how an organization meets its obligations in terms of:

1. how the organization protects personal information;
2. how individuals can exercise their rights, including how the organization receives and handles requests for access to personal information, complaints, withdrawals of consent, and data porting requests;
3. what kind of training and information the organization provides to staff about its policies, practices, and procedures; and
4. the development of materials to explain the organization’s policies, practices, and procedures.

Towards a PMP Implementation Plan

A good PMP is always evolving. An organization’s privacy management program must be proportionate to the volume and sensitivity of the personal information that it handles. This necessarily means that a suitable privacy management program will be different for each organization depending on the organization’s size, function, and the information it handles. Depending on your organization, a simple privacy policy and training may meet the CPPA’s requirements for a privacy management program. However, in most cases there will likely be gaps that a more comprehensive privacy management program can address.

Your organization should develop an action plan to review the existing pieces of your PMP and identify priorities for further improvements. There are several key concepts in the CPPA that your organization should consider in the PMP process.

a. Appointing a Designated Individual

Your organization must designate at least one individual to be responsible for privacy compliance. That person should be involved with the development and implementation of all policies, practices, and procedures that your organization employs to meet its obligations under the CPPA. They should also be a key member of the incident response team.

b. Providing Access to the Privacy Management Program

Following the CPPA, there will be a greater demand for transparency, from both the public and the Information and Privacy Commissioner. Organizations should ensure that their privacy management program is regularly updated, well-organized, and readily available at all times in preparation for such a request.

c. Service Provider Obligations

If your organization transfers personal information to a service provider in the course of business, you must ensure that the service provider uses equivalent privacy protections. Contract and vendor management will be a significant obligation under CPPA. Your organization should have a process for contract privacy review and approval.

d. Obtaining Valid Consent

CPPA proposes some changes to the requirements for valid consent and establishes statutory exceptions. You should review your organization’s procedure to ensure valid consent is obtained, policy on the withdrawal of consent, and any exceptions to consent requirements that your organization might rely on in your privacy management program. Staff should be trained appropriately on this issue.

We will be exploring the changes to consent requirements in the CPPA in a separate blog.

e. Reporting Breaches

Organizations are required to report certain breaches of security safeguards involving personal information to the Information and Privacy Commissioner. Organizations must have an incident reporting process which addresses the requirements to notify and report breaches which give rise to a real risk of significant harm. Your organization must also maintain a record of certain information in respect of breaches, including incidents which are not reported.

f. Information governance / Document management

Organizations must properly protect the information that they retain and securely destroy the information they no longer need. Ensure that your organization implements a system to correctly identify and categorize information, particularly sensitive information, in order to comply with this obligation.

i) Retention and destruction

A record retention and destruction plan is crucial. This will maintain access to the information that your organization needs, while also ensuring that your organization does not retain personal information for longer than permitted under the CPPA and other privacy laws. Failing to destroy information that is no longer needed may exacerbate the scope of a potential security breach and expose your organization to greater liability than necessary.

ii) Internal Access Limitations

Organizations should consider controlling internal access to information in their system. When information is identified and classified properly, organizations can limit internal access, thereby reducing the risk that information may be improperly used or accessed.

g. Security, monitoring and threat assessment

Courts and regulators are increasingly expecting organizations to implement strong security, monitoring and threat assessment measures in respect of sensitive information. This should be an aspect of your PMP. If sensitive information is vulnerable to misuse, including by employees, organizations may be obligated to take steps to diligently detect and respond to threats in a timely manner.

h. Employee Training

Organizations should ensure that all employees receive adequate and regular training on the policies, practices, and procedures that constitute your PMP. All levels of personnel should be familiar with your organization’s obligations under the CPPA and how these obligations apply to their job duties and responsibilities.

Key Takeaways

• The CPPA is coming – and so are new obligations to have a PMP.
• What makes a PMP appropriate depends on your organization’s size, functions, and the kind of information it handles.
• There are several things to consider as you draft and implement a PMP for your organization – overlooking a crucial consideration may expose your organization to liability in the event of a security breach.

As you prepare for the CPPA, consider how extensive your privacy management program needs to be, develop a plan to implement it, and ensure that you schedule regular reviews as your organization grows and technology changes.

If your organization has any questions about privacy management programs or other obligations under the CPPA, we would be pleased to help you. Please contact a member of our Privacy & Data Management Group.