February

Gone are days of unregulated and untethered data gathering. With the rolling out of the California Consumer Privacy Act, Canadian businesses are now finding themselves navigating a sea awash with a patchwork of extraterritorial legislation.

The laws are sometimes inconsistent, often vague, and certainly confusing. It has therefore become critical that companies understand their obligations under each of these major regimes, and to delineate the nuanced details between them. Failure to do so may result is severe fines.

In light of this, I have created a quick reference guide for companies looking to better understand their legal obligations under GDPR, CCPA, and PIPEPA.

Issue	PIPEDA	GDPR	CCPA
Does each law apply to my business?	PIPEDA applies to private sector organizations that collect, use, or disclosure personal information during the course of commercial activity. Notably, this applies to small businesses, and some non profits and charities that may be considered as conducting “commercial activity”.	Applies to processing of personal data by all organizations (Canadian ones too) that are established in the EU, regardless of where data processing occurs. Equally, to organizations that control or processes data with regard to the offering of goods or services, or monitoring the behaviour of EU residents for advertising.	For-profit companies engaging consumers and households in California. The for-profit companies must have at least $25 million in annual revenue must comply with the law. And companies of any size that have personal data on at least 50,000 people or that collect more than half of their revenues from the sale of personal data.
Who is protected by the legislation?	A natural person. Does not have to be a citizen, or a resident of a specific province.	Natural persons resident in the EU, or EU citizens.	Consumers resident in California, if they are natural persons.
Are employees protected?	Generally, not.	Generally, yes.	Limited application, however this may change.
What kind of information is protected?	Personal information may be factual, subjective, recorded or not, about an identifiable individual. This could include employee files, loan records, or blood type.	Personal information may be factual, subjective, recorded or not, about an identifiable individual. This could include employee files, loan records, or blood type.	Personal information that could identify a consumer or household.
In what ways is information safeguarded?	Information must be protected in accordance its sensitivity, and in light of developing risks.	Taking into account current day technologies, risks, and severities, appropriate technical and organisational measures.	No explicit requirements, however, expect to take appropriate measures.
Notification requirements in event of a breach	In the event that a real risk of significant harm is posed to the individual(RROSH test) as soon as feasible.	Where possible, within 72 hours, unless of an unlikely risk to the rights and freedoms of natural persons.	There are different requirements based on the nature of the businesses. Generally breach individuals must be notified very quickly. Note, notification with the CCPA is triggered by several events, not just a breach. This includes selling of data, and transfer of data during a merger.
Potential Penalties	Up to 100,000 Canadian Dollars.	Up to 20,000,000 euro, or up to 4% of annual worldwide turnover of the preceding financial year.	$100 to $750 per consumer per incident, or actual damages, whichever is greater. There are also civil penalties.

As this chart demonstrates, there are several differences between PIPEDA, GDPR and CCPA. Some differences are slight, while others are more obvious. In any case, businesses need not only be aware of their privacy obligations but also take proactive measures to ensure compliance.

This means working hand in hand with your IT team to understand where your servers are, what kind of information your business is processing, and what kind of security measures are put in place.

It also means making sure your business is working together with competent legal counsel that understands the peculiarities of each law. With this in mind, and for more  information, please feel free contact me at michael.weinberger@siskinds.com.

Verifile, found 60% of CVs checked by them in 2019 contained lies.
 
Digging deeper, their referencing teams found inaccuracies in: 

• 13% of employments checked
• 15% professional memberships and licences checked
• 13% of qualifications checked

As a background screening company, Verifile carries out a wide range of checks on behalf of clients, including those who need to carry out screening during their recruitment process.
 
Eyal Ben Cohen, founder and CEO at Verifile, said that lies and exaggerations on CVs are sadly commonplace: “While modern technology has brought the world closer together, and created access to a worldwide workforce, it has also made it easier for some to try and defraud others with fake identity, qualifications and careers.
 
“Sadly, too many people still believe that no one will take the time to check their CVs fully, for the suitability of the role they’re applying for.
 
“Verifile is committed to changing that and creating transparency so that any relationship a business enters into, whether that’s through recruitment or for another reason, is built on a strong foundation of trust.”
 
Meanwhile the quality of Verifile’s knowledge and the tenacity of their teams was also highlighted with a drop of 7% in the number of checks returning ‘no result’, when compared to 2018 figures.
 
In 2019 Verifile were only unable to verify a tiny 4% of qualifications, employments and memberships listed on CVs.
 
“This is a very impressive figure which demonstrates how Verifile always goes that extra mile to verify every piece of information we receive,” explains Eyal.
 
“This number can never be 0% because there will always be companies or schools that have closed down and their records are unavailable. However, we continue to reduce it year on year, through chasing organisations for a response, and by only using direct sources to confirm a candidate’s claims.”
 
Booming background screening sector
 
The global background screening sector is booming, with more and more industries recognising the need to carry out pre- and post-employment checks.
 
Verifile itself saw 88% more individuals checked in 2019 compared to 2018. They also welcomed 329 new clients and checked people across 154 countries.
 
A lot of this is down to Verifile’s own investment in technology with a third of its checks now being placed via its own application programming interface (API).
 
“Pre-employment background screening not only builds trust, it also makes sure public safety remains intact,“ adds Eyal.
 
“If someone claims to have a skill or qualification necessary for a specific task, it’s too late to find out they have lied on their CV once something goes wrong.”
 
Verifile offers a host of pre- and post-employment background screening options, individually or as part of a bespoke package. These include CV verification, social media checks, credit checks, identity checks, and criminal checks.
 
They can carry out these checks via thousands of up-to-date data sources in almost every country in the world. To find out more about the services they offer and how they can help businesses of all sizes develop robust and compliant screening procedures, visit www.verifile.co.uk

Walgreens will pay $7.5 million to settle with California authorities after an employee was found to be impersonating a pharmacist San Francisco.

Kim Thien Le pleaded not guilty to felony impersonation charges, as reported by ABC News.

Prosecutors said that from late 2006 through 2017, Le used the license numbers of genuine and registerd pharmacists and impersonated them.

She then dispensed more than 745,000 prescriptions at Walgreens stores in Santa Clara and Alameda counties, allegedly including more than 100,000 for opioids such as fentanyl, morphine and codeine.

Le herself didn't have a pharmacist license, prosecutors said.

The district attorneys in both counties filed a consumer protection action against Walgreens, with prosecutors on 3 February 2020 announcing the pharmacy giant agreed to settle.

The company will pay $7.5 million in penalties, costs and remedial payments.

“The burden is on the company to make sure its employees are properly licensed and to complete a thorough background check," Alameda County District Attorney Nancy O’Malley said in a news release announcing the settlement.

The complaint alleged Walgreens failed to vet Le thoroughly when it promoted her to positions requiring a license and failed to make sure that its internal systems were strong enough to prevent an employee from evading them.

In a statement Walgreens said Le hasn't worked for the company since 2017, adding: "Pharmacy quality and safety are top priorities, and upon learning of this issue, we undertook a re-verificationof the licenses of all our pharmacists nationwide."