Compliance agreement between the Privacy Commissioner of Canada and Equifax Canada Co.
WHEREAS the Privacy Commissioner of Canada (“the Commissioner”) is responsible for the administration and enforcement of Part 1 of the Personal Information Protection and Electronic Documents Act (the “Act”), which governs the collection, use or disclosure of personal information by organizations in the course of commercial activities;
AND WHEREAS Equifax Canada Co. (“Equifax Canada”) is a credit reporting agency incorporated in Canada;
AND WHEREAS on September 8, 2017, the Commissioner began an investigation of Equifax Canada and Equifax Inc. in light of the breach of personal information announced by Equifax Inc. on September 7, 2017, subsequent to receiving complaints from individuals about this matter;
AND WHEREAS the Commissioner, in the course of his investigation found that Equifax Canada had contravened several provisions of Division 1 of the Act, as described in a report of findings issued by the Commissioner (“Report of Findings”);
AND WHEREAS in the Report of Findings the Commissioner made several recommendations to Equifax Canada to ensure Equifax Canada’s compliance with the Act;
AND WHEREAS while Equifax Canada acknowledges the Commissioner’s findings, it does not admit fault, liability or the truth of the findings, claims or arguments set out in the Report of Findings;
AND WHEREAS the Parties agree that while entering into this Agreement is voluntary, once entered into, it binds the parties to the obligations herein and failure to comply with it may trigger the application of s. 17.2(2) of the Act;
NOW THEREFORE, pursuant to ss. 17.1 and 17.2 of the Act, the Commissioner and Equifax Canada hereby agree as follows:
- For the purpose of this Agreement, the following definitions shall apply:
- “Act” means the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5;
- “Agreement” means this Compliance Agreement entered into by Equifax Canada and the Commissioner pursuant to s. 17.1 of the Act;
- “Commissioner” means the Privacy Commissioner of Canada appointed pursuant to s. 53(1) of the Privacy Act, R.S.C. 1985, c. P-21 and his authorized representatives;
- “Parties” means the Commissioner and Equifax Canada;
II. REMEDIAL MEASURES
- In order to address the Commissioner’s recommendations contained in the Report of Findings, Equifax Canada shall (including through measures it has already taken):
a. In relation to the adequacy of consent obtained for the collection of Canadian personal information by Equifax Inc. and/or its affiliates, and the transfer of Canadian personal information to Equifax Inc. and/or its affiliates, Equifax Canada shall ensure that, by September 30, 2019, communications to individuals purchasing or accessing Canadian direct-to-consumer products are revised to clearly explain:
- the nature and purpose of the personal information collected by and transferred to Equifax Inc. and/or its affiliates in the U.S., for both information directly collected by Equifax Inc. and/or its affiliates, and information transferred to Equifax Inc. and/or its affiliates by Equifax Canada. These communications should be made prominently on relevant transaction pages/scripts. To the extent that individuals can obtain similar services from Equifax Canada without the need for such transfers, Equifax Canada shall ensure that Equifax Inc. and/or its affiliates inform individuals of these options on the relevant transaction pages/scripts.
b. By December 31, 2019, seek additional express consent (i.e. that includes positive action by individuals to confirm consent) from any current customers of Equifax Inc. or its affiliates that are receiving Canadian direct-to-consumer products. Communications related to this additional consent should be made prominently and, at a minimum, provide current customers with information about the nature and purpose of the personal information that is collected, used and/or stored in the U.S. for both: (i) personal information directly collected by Equifax Inc., or its affiliates, from Canadians and (ii) personal information that is transferred to Equifax Inc., or its affiliates, by Equifax Canada.
Safeguards and Accountability
c. By March 15, 2019, submit to the OPC a draft comprehensive written arrangement between Equifax Consumer Services LLC and Equifax Canada defining appropriate controls for all Canadian personal information collected by Equifax Consumer Services LLC and disclosed to Equifax Consumer Services LLC by Equifax Canada that includes a structured framework for addressing any issues arising under it, and implement a procedure to keep the written arrangement up-to-date. The above to be finalized by April 30, 2019.
d. By April 30, 2019, develop a robust data retention and privacy program that covers those requirements in the agreement referred to in subsection (c) above, and that includes the monitoring and participation of Equifax Canada’s privacy office.
e. By September 30, 2019: (i) ensure that a data inventory program is established; (ii) complete a thorough initial data inventory of Equifax Inc. systems to identify Canadian personal information; and (iii) delete or anonymize all Canadian personal information identified as of that date, that should no longer be retained by Equifax Inc. according to its retention schedule. In the event that this commitment cannot be fully implemented within the timeframe indicated above, Equifax may request, without delay and in writing, an extension to the timeframe. Upon considering Equifax’s request, the Commissioner may grant an extension if he is satisfied that one is warranted in the circumstances. For clarity, the parties agree that a data discovery and remediation program is an ongoing ‘business as usual’ process.
f. Unless otherwise specified below, commencing with a submission by December 31, 2019, and then, every two (2) years thereafter, for a six (6) year term, provide to our Office:
- a report from Equifax Canada detailing its compliance monitoring for the data retention and privacy aspects of the arrangement described in section c. above;
- the audit report and related certification of Equifax Inc.’s information security program using an acceptable security standard, for Canadian personal information, conducted by an accredited external auditor. For clarity, “acceptable security standard” includes ISO 27001, or a comparable security industry framework; and
- an assessment of Equifax Inc.’s retention program, specifically, its adequacy of data removal program, and, where necessary, remediation of identified items, covering all Canadians’ personal information processed by Equifax Inc., conducted by an appropriate external third party once the program has been fully implemented as outlined in e. above.
g. In relation to the adequacy of Equifax Canada’s safeguards of personal information of Canadians that it holds, Equifax Canada shall:
- Provide our office with the audit report and related certification of Equifax Canada’s information security program using an acceptable security standard, for Canadian personal information, conducted by an accredited external auditor every two (2) years for a six (6) year term, beginning with a first report by March 31, 2019. For clarity, “acceptable security standard” includes ISO 27001 or a comparable security industry framework.
- On a strictly ‘free-of-charge’ basis for the product, offer the identified group of Canadians whose personal information was impacted by the 2017 cybersecurity incident (“Affected Canadians”) the opportunity to enroll in an additional two years of Equifax Complete™ Premier credit monitoring or the same length offered to other affected individuals in North America in connection with the 2017 cybersecurity incident, whichever is longer. Enrollment shall be open for a six-month period beginning June 30, 2019-December 31, 2019. For clarity, it is acknowledged that the credit monitoring offerings in North America may differ and this requirement is limited in scope to the length of the offering only.
h. For greater certainty, external audits or assessments of Equifax Inc. and Equifax Canada’s information security programs conducted in the regular course of business or performed to meet other legal or regulatory requirements or agreements may be provided to the Commissioner and will satisfy the requirements detailed in section 2f.ii. and 2g.i. to the extent that the related reports are sufficiently detailed and are conducted using an acceptable security standard.
III. COMPLIANCE REPORTING, MONITORING AND ENFORCEMENT
- The Commissioner may, at his discretion and from time to time, request information and documents from Equifax Canada for the purpose of verifying its compliance with this Agreement.
- The Commissioner may also visit Equifax Canada’s places of business, and any places of business where Canadian personal information is being processed on behalf of Equifax Canada, for the purpose of verifying compliance with this Agreement at any time, subject to providing fourteen (14) days prior notice by the Commissioner to Equifax Canada.
- Equifax Canada acknowledges that if the Commissioner is of the opinion that Equifax Canada is not complying with the terms of this Agreement, the Commissioner may, after providing written notice to that effect to Equifax Canada, apply to the Federal Court for an order requiring Equifax Canada to comply with the Agreement or such other relief as may be available in law, in accordance with s. 17.2(2) of the Act.
- Equifax Canada will pay the costs of its compliance with this Agreement.
- Notices, reports and other communications required or permitted pursuant to any of the terms of this Agreement shall be in writing and shall be considered to be given if delivered, either by hard copy or electronic copy, to the following addresses:
- The Commissioner
Commissioner Daniel Therrien
c/o Amanda Edmunds
30 Victoria Street, 8th floor
Gatineau, QC K1A 1H3
- Equifax Canada
5700 Yonge Street, Suite 1600
- The Commissioner
- Nothing in this Agreement shall prevent or otherwise limit the Commissioner from exercising or performing any of his powers and duties under the Act, including his duty to investigate complaints under s. 12(1), his power to initiate a complaint under s. 11(2), or his power to audit personal information management practices under s. 18(1) of the Act.
- Nothing in this Agreement derogates from the rights and remedies available under Part 1 of the Act to any other person arising from the conduct described in this Agreement and in the Report of Findings or arising from future conduct.
- Equifax Canada acknowledges that the terms of this Agreement as well as the Report of Findings may be disclosed or made public in accordance with the Commissioner’s authorities under s. 20(2) of the Act or as required by law.
- Equifax Canada acknowledges that it has had the opportunity to be represented by counsel and to obtain legal advice with respect to this Agreement.
- This Agreement comes into effect when it has been signed by both Parties, and terminates upon written confirmation by the Commissioner that remedial measures described in Section II referred to above have been satisfied, which confirmation the Commissioner shall provide promptly to Equifax Canada after he determines that they have been satisfied.
DATED at Toronto, this day of 2019.
Equifax Canada Co.
Vice President Legal
I have authority to bind the corporation.
DATED at Gatineau, in the Province of Quebec, this day of 2019.
Privacy Commissioner of Canada
Report a problem or mistake on this page
- Date modified: