Blog / Changes to Privacy Legislation are on their way.
Understand where you are now versus where the regulations are going.
Long time readers will know that we like to sometimes discuss privacy and security legislation. For example, the Payment Card Industry Data Security Standards (PCI-DSS) regulations come up periodically, which is a set of rules that applies to organizations that accept plastic for payment, whether they’re debit, credit, or gift card. Alberta’s Personal Information Protection Act (PIPA) legislations also shows up fairly often, and applies to every organization in the province but is of particular importance to municipal and educational organizations.
However, good legislation adapts to changing circumstances, so it’s important to remember that these rules can, will, and should change. For example, a new set of rules for PCI-DSS came into effect in March 2022, updating the regulations from version 3.2.1 to the latest version, 4.0. The update was significant and changed a lot of details of the regulations, including a major update to the rules regarding the use of multifactor authentication along with standard passwords.
Similarly, PIPA’s latest update was fairly significant as well. PIPA was originally created to be a mirror image of another piece of legislation, PIPEDA, the Personal Information Protection and Electronic Documents Act. PIPEDA is federal legislation and only applies to municipalities and other federally regulated entities, but PIPA takes those rules and applies them to everybody in Alberta. Prior to the latest changes, many security processes and tools weren’t actually required by the legislation. But laws are supposed to draw a line in the sand as clearly as possible, not just make strong recommendations. Now, PIPA requirements are actual requirements; no more unrequired elements.
This isn’t the first time these laws and regulations have changed, and there’s no doubt they’ll change again in the future. In fact, one of the changes PCI-DSS recently made was a commitment to update their rules every four years. Similarly, PIPA was mirrored from PIPEDA, and PIPEDA is set to be replaced. If you haven’t heard of it, Bill C-27 or the Consumer Privacy Protection act is currently working its way through the government gauntlet. Part 1 of the act aims to replace PIPEDA, which means that PIPA will need to change too.
Currently C-27 has only made it to second reading in the House of Commons twice and hasn’t even hit the Senate so whatever rules it currently contains could still change drastically. With so much about the bill still up in the air, frankly it’s not even worth evaluating at at this point, but it’s certainly worth keeping an eye on how things go. This act will revamp our privacy laws, the enforcement of those laws, and may even contain rules regarding the use of AI. It remains to be seen exactly what will happen with the legislation, but there are bound to be some substantial changes.
This Shakespeare quote comes from Macbeth; “He shall spurn fate, scorn death, and bear His hopes ‘bove wisdom, grace and fear: And you all know, security Is mortals’ chiefest enemy.”
If you’d like help evaluating whether you’re compliant with current legislation, or stay compliant once c-27 finally becomes law, contact a TRINUS professional and get yourself some stress-free IT.