The Digital Privacy Act amended Canada’s private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA) on July 18, 2015. On September 2, 2017, the Government of Canada released proposed changes to PIPEDA: Breach of Security Safeguards Regulations (“proposed regulations”). The proposed regulations, not yet in force, introduce mandatory data breach reporting and notification requirements for organizations that suffer from a breach of security safeguards. The only other jurisdiction in Canada which has legislated mandatory data breach reporting and notification requirements is Alberta. While Alberta’s privacy law, Personal Information Protection Act, (PIPA) offers some assistance in interpreting the proposed PIPEDA regulations, they are limited since the text differs in a few significant ways.
PIPEDA defines breach of security safeguards as “the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards that are referred to in clause 4.7 of Schedule 1 or from a failure to establish those safeguards.” (PIPEDA, s.2(1)).
The proposed regulations impose certain obligations on organizations which experience a data breach. Under these regulations, organizations need to assess whether the breach poses a “real risk of significant harm” to any individual whose information was involved in the breach by conducting a risk assessment. This is a two-pronged test and both elements must be established for the notification requirement to apply. “Significant harm” includes “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.” (Breaches of Security Safeguards, s. 10.1(7)). The factors to consider when determining whether there is a “real risk” include the sensitivity of the personal information involved in the breach and the probability that the personal information will be misused. Other factors may be introduced through regulation to assist organizations in assessing the risk.
Once the organization has determined that the breach poses a real risk of significant harm, it must report the breach to: (1) the affected individuals; (2) the Privacy Commissioner of Canada (“OPC”); and (3) any other organizations that may be able to mitigate harm to affected individuals.
Report to the Commissioner
The report to the OPC must be made “as soon as feasible”. The proposed regulations describe the content, form, and manner of reporting. The report must be in writing and must contain:
- a description of the circumstances of the breach and, if known, the cause;
- the day on which, or the period during which, the breach occurred;
- a description of the personal information that is the subject of the breach;
- an estimate of the number of individuals in respect of whom the breach creates a real risk of significant harm;
- a description of the steps that the organization has taken to reduce the risk of harm to each affected individual resulting from the breach or to mitigate that harm;
- a description of the steps that the organization has taken or intends to take to notify each affected individual of the breach; and
- the name and contact information of a person who can answer the OPC’s questions about the breach on behalf of the organization.
Notice to Affected Individuals
Notice to affected individuals must contain “sufficient information to allow the individual to understand the significance to them of the breach and to take steps, if any are possible, to reduce the risk of harm that could result from it or to mitigate that harm.” (Breaches of Security Safeguards, s.10.1(4)). The notice should be conspicuous and be given to the individual directly. The regulations specify that such direct notification must include:
-
a description of the circumstances of the breach;
-
the day on which, or period during which, the breach occurred;
-
a description of the personal information that is the subject of the breach;
-
a description of the steps that the organization has taken to reduce the risk of harm to the affected individual resulting from the breach or to mitigate that harm;
-
a description of the steps that the affected individual could take to reduce the risk of harm resulting from the breach or to mitigate that harm;
-
a toll-free number or email address that the affected individual can use to obtain further information about the breach; and
-
information about the organization’s internal complaint process and about the affected individual’s right, under the Act, to file a complaint with the Commissioner.
Along with the above manner of direct notification, the proposed regulations also allow notice to be given to affected individuals indirectly. The circumstances under which indirect notification can be given are: (1) if giving direct notification would cause further harm to the affected individual; (2) if the cost to the organization would be prohibitive; or (3) if the organization does not have contact information for the affected individual or the information that it has is out of date. The regulations also include the manner in which direct and indirect notification has to be given to the affected individual.
Notice to Organizations:
The proposed regulations state that an organization that notifies an individual of a breach of security safeguards under subsection 10.1(3) shall notify any other organization, government institution or a part of a government institution of the breach if the notifying organization believes that the other organization or institution concerned may be able to reduce or mitigate the risk of harm, or if any of the prescribed conditions are satisfied. (Breaches of Security Safeguards, section 10.2(1)). The proposed regulations do not provide further information as to the form, manner, and content of this notification.
Conclusion
The Government has given stakeholders 30 days to provide comments. Organizations should consider offering their input before October 2, 2017, in order to gain further clarity and to air their concerns. They should also consider updating their incident response plans and breach notification policies since non-compliance carries monetary penalties of up to $100,000 per violation.
About the author
Sarah Nasrullah is a corporate/commercial lawyer who focuses on privacy and cybersecurity issues.