Canada Issues Guidance on Data Compliance for IoT ManufacturersSeptember 2, 2020 – Alerts
Canada's Office of the Privacy Commissioner issues detailed guidance on how IoT manufacturers can comply with the data protection requirements of the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA.) Below are key takeaways:
- If your IoT device is collecting, using or disclosing personal data in the course of commercial activity, then you are subject to PIPEDA and must follow the principles set out in Schedule 1 of PIPEDA.
- Your responsibility as an IoT device manufacturer may extend well after consumers have purchased the device if you continue to collect, use, disclose or otherwise retain personal information.
- You must develop and commit to an ongoing privacy management program for the information that you collect and control.
- Appoint someone to be responsible for your organization's privacy compliance, and implement privacy policies and practices to ensure you are adhering to the principles in PIPEDA. These must include procedures to protect personal information and receive and respond to complaints
- Conduct a Privacy Impact Assessment: As a best practice, you should perform a Privacy Impact Assessment (PIA) before operationalizing your product.
Identifying Purposes, Limiting Collection, Consent and Openness
Before you collect any personal information, you must:
- Identify and document why you need the information before or at the time of collection.
- Ensure that the collection of personal information is limited to that which is necessary for the purposes identified.
- Ensure that any purpose(s) for which you are collecting the information is/are limited to what a reasonable person would expect under the circumstances.
- Be aware that some purposes may not be permitted, even with a consumer’s consent.
Inform individuals about:
- What personal information is collected
- With which parties personal information is shared
- For what purposes personal information is collected, used, or disclosed
- Risk of harm and other consequences
- Whom to contact if an individual has questions, wants to access their information, or make a complaint
If you intend to use personal information for a new purpose that wasn’t previously identified, you must identify the new purpose and obtain the individual’s consent before use.
- Obtain meaningful consent for the collection, use and disclosure of personal information (unless an exception to the general consent requirement applies).
- To make consent meaningful, people must understand the nature, purpose and consequences of the collection, use or disclosure to which they are consenting.
- Even with an individual’s consent, an organization may only collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances. Examples of inappropriate purposes include collection, use or disclosure that would otherwise be unlawful, or known or likely to cause significant harm to the individual.
- Meaningful consent can be implied.
- You must generally obtain express consent when:
- The information being collected, used or disclosed is sensitive
- The collection, use or disclosure is outside of the reasonable expectations of the individual
- The collection, use or disclosure creates a meaningful residual risk of significant harm
- In instances where the collection, use or disclosure of their personal information is not an essential condition of service, the options for consumers to say “yes” or “no” must be explained clearly and made easily accessible.
- Under the law, individuals can withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. You also have a legal duty to inform individual of the implications of withdrawing consent.
Limiting Collection, Use, Disclosure and Retention
- Limit the collection of personal information to what is necessary for the identified purpose(s).
- You must be able to justify why each piece of information is collected.
- Document these decisions and inform individuals of these practices
- Metadata can reveal personal information so you must also limit its collection. For example, data about the times of day, and lengths or location of audio recordings can be revealing on their own or when combined with other data, exposing sensitive and detailed information about individuals.
- Use or disclose of personal information must be limited to the purposes for which it was collected, unless the individual consents or it is required by law.
- Retain personal information only for as long as necessary for the fulfilment of the purposes for which it was collected.
- Personal information that has been used to make a decision about an individual shall be retained long enough to allow the individual access to the information after the decision has been made.
- It's recommended that you design your device to limit collection by default.
- Any and all collection over and above what is needed for device functioning should be explained to consumers and their consent obtained before collection.
- It's recommended that you provide consumers with user-friendly options to permanently delete information you hold about them, and inform them of how to proceed with doing so.
Individual Access, Accuracy of Information and Challenging Compliance
Consumers have a right to access their personal information, including any inferences the organization has made about the individual based on personal information previously collected or ongoing collection, such as patterns of use or consumer behavior. They also have a right to ensure that their information is accurate and to correct or amend the information.
- Information an IoT manufacturer or its partners collect and store on behalf of users as well as information in transit must be protected by security safeguards appropriate to the sensitivity of the information.
- Potential security risks associated with IoT devices are significant and you are required to take the physical, organizational and technological measures needed to ensure that your devices are safe to use and not easily compromised.
What you must do to fulfill your responsibilities under PIPEDA:
- Be accountable by instituting practices that protect the personal information under the control of your organization.
- Before collecting personal information, identify the purposes for its collection.
- Obtain informed and meaningful consent from the individual whose personal information is collected, used or disclosed.
- Design your devices to limit collection to that which is necessary to fulfill their stated purposes.
- Use and disclose personal information only for the purpose for which it was collected.
- Ensure that personal information is as accurate, up-to-date and complete as is necessary for the purposes for which it is to be used, especially when making a decision about individuals or when sharing it with others.
- Ensure the personal information you are accountable for is appropriately safeguarded.
- Inform individuals about your policies and practices for information management.
- Give individuals the ability to access and correct their information.
- Provide recourse to individuals by developing complaint procedures.
- Limit what you collect, use, share and retain about your customers, including children.
- Protect personal information through technological safeguards such as encryption and password protection.
What you should do to supplement your responsibilities under the law:
- Create device specific privacy policies to improve the transparency of your information practices. For example, include a list of every sensor a device possesses in your policy’s section on disclosures and state the minimum length of time these devices will receive security updates.
- Consider periodically notifying users when the device is collecting data and give consumers greater control to limit the collection.
- Perform privacy and security risk assessments that help identify and mitigate risks associated with the device and your personal information handling practices.
- Design your devices to have consumers' use strong and unique passwords.
- Provide consumers with user-friendly options to permanently delete information you hold about them and inform them of how to do so.
- Ensure that the end user can patch or update the firmware on the device.
Odia Kagan is a partner in the firm's Privacy & Data Security Practice and Chair of the GDPR Compliance & International Privacy Practice. For questions about this alert or assistance with PIPEDA compliance issues, contact Odia at [email protected] or 215.444.7313.