Written by Ruth E. Promislow, Martin P.J. Kratz and Katherine Rusk
Almost three years after the Digital Privacy Act was passed, the federal government has finalized regulations on mandatory breach notification, reporting, and recordkeeping for the private sector in Canada. The regulations were published yesterday and by separate Order in Council will come into force November 1, 2018, under the Personal Information Protection and Electronic Documents Act (PIPEDA).
PIPEDA applies to the collection, use, or disclosure of personal information during the course of a commercial activity and across borders and is applicable to the federally regulated private sector as well as most provinces where PIPEDA applies to the provincially regulated private sector.1 A breach under PIPEDA requires three elements: (1) the collection of personal information; (2) a violation or breach of the obligation to maintain adequate security for that personal information (security safeguards); and (3) where the breach results in the loss of, unauthorized access to or unauthorized disclosure of personal information.
Mandatory reporting will be required where there is a "real risk of significant harm" due to the breach. PIPEDA defines "significant harm" as including: humiliation, damage to reputation or relationships and identity theft.
If there is a breach with a real risk of significant harm, the following three obligations on the part of the breached organization will come into play: (1) notification of the impacted individuals; (2) a written report to the Office of the Privacy Commissioner (OPC); and (3) retention of a breach record. Organizations may also be required to notify third parties if they are able to mitigate harm to affected individuals.
1. Notification of the Impacted Individuals
Direct notification must be provided to the impacted individuals "as soon as feasible". The notification must include certain prescribed elements, including: a description of the breach and the information compromised, the steps the organization has taken to reduce harm, a description of steps the impacted individuals can take to reduce harm, and contact information for further information. The notification can be provided in any "reasonable" manner, including in person, by email, or by telephone.
There is also an option to provide indirect notification if direct notification would cause further harm to the individual, cause undue hardship to the organization, or is not possible.
A deliberate failure to notify the affected individuals can be considered an offence under the new regulations, leading to a fine of up to $100,000.
2. Written Report to the OPC
A written report of a breach must be made in writing "as soon as feasible" to the OPC. The report must contain prescribed elements such as: a description of the breach, the date, the number of individuals impacted, the type of personal information that has been compromised, and a description of the steps taken to reduce the risk of harm.
A deliberate failure to report to the OPC can be considered an offence under the new regulations, leading to a fine of up to $100,000.
The organization must maintain a record of every breach and security safeguard for at least 24 months after the date on which the organization learned of the breach. That record can be requested by the OPC.
A deliberate failure to record the breach can be considered an offence under the new regulations, leading to a fine of up to $100,000.
Having an incident response plan is an integral part of ensuring compliance with your organization's obligations under PIPEDA and other law. A key part of that plan are advance preparations for mandatory breach notification. The Bennett Jones Cybersecurity team can help update your existing plan to reflect these new requirements or draft a customized plan to ensure your organization is prepared when a data breach occurs.
1 Certain Provinces, such as Alberta, British Columbia and Quebec, have provincial private sector privacy legislation that has been declared substantially similar to PIPEDA. Of those Alberta’s Personal Information Protection Act has had mandatory private sector breach reporting since 2010