2022 Tsaaro Intellectual Property, All rights reserved
REGULATIONS
CPPA & PIDPT
Canada is set to replace its existing privacy legislation the Personal Information Protection and Electronic Documents Act or “PIPEDA” with the new Consumer Privacy Protection Act (“CPPA”) and the Personal Information and Data Protection Tribunal Act (“PIDPT”).
Consumer Privacy Protection Act, CPPA
The CPPA’s goal is to create a novel private sector data privacy law that updates and completely replaces the existing Personal Information Protection and Electronic Documents Act (PIPEDA). The PIDPT seeks to set up a new institutional Personal Information and Data Protection Tribunal with the authority to levy large fines for CPPA violations.
- Allows those harmed to institute private right of action
- The security rules are applicable on “covered entities” which includes health plans, pharmacy, radiology and electronic health records (EHR) labs, health care clearinghouses, laboratories and to any health care provider.
- Requirements
- Specifies grounds for successful compliance to include informing individuals about the manner of data collection, and their consequences.
- The choice to withdraw consent in whole or part rests with the individual
- Exempts organisation from consent collection
- Provides individual access to, and amendment of their PI via requests.
- Mandates the organisation’s policies and practices to be transparent and allows storing of PI outside Canada.
- Mandates the organisation’s policies and practices to be transparent and allows storing of PI outside Canada.
Non-compliance
HHS may impose civil money penalties up to $100 per failure. The upper limit for penalty per year is $25,000. If anyone discloses or obtains information with malicious intention, it may attract criminal penalty of $50,000 and up to one-year imprisonment. This fine and imprisonment may increase due to additional factors of false pretences, intention to sell or transfer PHI, or use it for commercial purposes or malicious harm.
How our privacy team can help
At Tsaaro’s, our privacy team comprises of experienced lawyers and InfoSec professionals. Together we ensure that your organisation is compliant with all regulatory requirements along with best possible technical and infrastructural solutions. We provide personalised plans to our customers to inculcate data protection by design and by default in their processes in a cost efficient manner.
- Assess the applicable global personal data protection laws (Regulatory Assessement)
- Ensure Data Protection by Design.
- Protection your organisation against hefty fines.
- Improve customer and investor’s trust in your organisation.