Last month the Canadian government published proposed regulations relating to the mandatory reporting of privacy breaches under Canada’s federal data protection law, the Personal Information Protection and Electronic Documents Act (PIPEDA).
While the regulations put forth by the government are simply proposed rules, they do provide an indication of what will likely be included in the final regulations. The regulations are expected to be finalized in the coming months.
This Compliance Bulletin examines the relevant PIPEDA provisions, the proposed data breach regulations and the potential implications for organizations subject to PIPEDA.
In June 2015, Canada passed into law the Digital Privacy Act (DPA), a law that made a number of important changes to PIPEDA. While most of the amendments contained in the DPA came into force in 2015, the provisions of the law relating to mandatory data breach reporting and record-keeping have not yet come into force.
Once in force, the data breach provisions of PIPEDA and corresponding regulations will require organizations to report to the Office of the Privacy Commissioner of Canada (Commissioner) any breach of security safeguards involving personal information under its control if it is reasonable in the circumstances to believe that the breach creates a “real risk of significant harm” to an individual. Organizations will also be required to notify any affected individuals and any other organization or government institution that may be able to mitigate the harm to affected individuals. The report and notification must occur as soon as feasible after the organization determines that a breach has occurred.
Under that law, “significant harm” includes bodily harm; humiliation; damage to reputation or relationships; loss of employment, business or professional opportunities; financial loss; identity theft; negative effects on the credit record; and damage to or loss of property. Factors organizations must consider when assessing whether a breach creates a real risk of significant harm to an individual include the sensitivity of the personal information involved and the probability that the personal information has been, is being or will be misused.
Reports to the Commissioner: Content, Form and Manner
According to the draft regulation, a report to the Commissioner must be made in writing and contain the following information:
- A description of the circumstances of the breach and, if known, the cause;
- The day on which, or the period during which, the breach occurred;
- A description of the personal information that is the subject of the breach;
- An estimate of the number of individuals in respect of whom the breach creates a real risk of significant harm;
- A description of the steps that the organization has taken to reduce the risk of harm to each affected individual resulting from the breach or to mitigate that harm;
- A description of the steps that the organization has taken or intends to take to notify each affected individual of the breach; and
- The name and contact information of a person who can answer, on behalf of the organization, the Commissioner’s questions about the breach.
Under the proposed regulations, data breach reports can be submitted with the best information available to the organization at the time. This allows organizations to report breaches quickly and take the appropriate actions, even when key information regarding the incident is not yet available.
Requirements for Notifying Affected Individuals of a Data Breach
Under PIPEDA, notification to an affected individual must contain sufficient information to allow the individual to understand the significance of the breach and to take steps, if possible, to reduce or mitigate the risk of harm that could result. According to the draft regulations, a notification to an affected individual, at a minimum, must contain:
- A description of the circumstances of the breach;
- The day or time frame the breach occurred;
- Descriptions of the type of personal information that was compromised during the breach;
- A description of the steps that the organization has taken to reduce the risk of harm to the affected individual resulting from the breach or to mitigate that harm;
- A description of the steps that the affected individual could take to reduce the risk of harm resulting from the breach or to mitigate that harm;
- A toll-free number or email address impacted individuals can use to obtain further information regarding the breach; and
- Information about the organization’s internal complaint process and about the affected individual’s right, under the PIPEDA, to file a complaint with the Commissioner.
Notifications must be given directly to impacted individuals through an email, letter (delivered to the last known home address of the affected individual), telephone call, in-person conversation or other secure form of communication if the affected individual consented to receiving information from the organization in that manner.
Under limited circumstances, organizations will be allowed to provide affected individuals with indirect notification of a data breach. According to the draft regulations, organizations will be able to provide indirect notification only if:
- A direct notification would cause further harm to the affected individual;
- The cost of giving a direct notification is prohibitive for the organization; or
- The organization does not have contact information for the affected individual or the information that it has is out of date.
The draft regulations indicate that indirect notification may be given only by either a conspicuous message, posted on the organization’s website for at least 90 days, or by means of an advertisement that is likely to reach the affected individuals.
Once in force, the data breach provisions of PIPEDA and the regulations will require organizations to maintain a record of every breach of security safeguards. The draft regulations state that organizations must maintain these records for a minimum of 24 months after the day on which the organization determines that the breach has occurred, and provide them to the Commissioner upon request. The record must contain sufficient information to enable the Commissioner to verify compliance with the data breach reporting and notification requirements above.
While the regulations are not finalized and an enforcement date has not yet been announced, organizations should take the proper steps to ensure they are PIPEDA compliant. While the new reporting and record-keeping requirements appear to place an administrate burden on organizations, companies that already have cyber security protocols in place will likely experience minimal impact.
To learn more about the regulations, you can read a detailed impact analysis statement and the regulation’s text through the Canada Gazette.
© Zywave, Inc. All rights reserved