On September 17, 2018, the Office of the Privacy Commissioner of Canada (Privacy Commissioner) invited stakeholders to provide feedback on a draft guidance and draft breach reporting form entitled What you need to know about mandatory reporting of breaches of security safeguards by October 2, 2018. More specifically, provisions regarding mandatory reporting of privacy breaches (originating from the Digital Privacy Act changes of 2015) under the Personal Information Protection and Electronic Documents Act (PIPEDA) will come into force November 1, 2018. Moreover, Breach of Security Safeguards Regulations were published in the Canada Gazette on April, 18 2018 to provide further clarification concerning these changes. The purpose of this draft guidance and draft breach reporting form is to help businesses comply with these new mandatory breach reporting requirements.
The proposed document first explains the meaning of “breach of security safeguards” under PIPEDA as the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards that are referred to in clause 4.7 of Schedule 1 of PIPEDA, or from a failure to establish those safeguards.
Regardless of size, it is important for all businesses to understand this definition because these requirements apply and carry stiff penalties (fines) for noncompliance. That is, it is an offence to knowingly contravene PIPEDA’s breach reporting, notification and record keeping requirements. Although the Privacy Commissioner does not prosecute these offences, it refers information relating to the possible commission of an offence to the Attorney General of Canada for carrying out the ultimate prosecution.
The following is discussed in the guidance document:
- Obligations for reporting breaches to the Privacy Commissioner: organizations must report breaches involving personal information under their control if it is reasonable in the circumstances to believe that the breach creates a “real risk of significant harm” to an individual. Significant harm includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property. The real risk of significant harm must be determined based on an assessment of the sensitivity of the personal information involved in the breach and the probability the personal information has been, is, or will be misused.
- Submitting a breach report to the Privacy Commissioner: this includes completing the proposed form set out below.
- Keeping records of all breaches: all records of all breaches of personal information under an organization control must be kept for at least two years (other legal requirements may stipulate that the records be kept for longer periods of time), regardless of whether there is a real risk of significant harm. At minimum, the following must be include: date or estimated date of the breach; general description of the circumstances of the breach; nature of information involved in the breach; whether or not the breach was reported to the Privacy Commissioner of Canada and/or individuals were notified; and if the breach was not reported to the Privacy Commissioner and/or individuals, a brief explanation of why the breach was determined not to pose a real risk of significant harm.
- Knowing when and how to notify individuals: this includes providing the information similar to what is required when reporting to the Privacy Commissioner (along with that of a contact person for further information) as soon as possible directly by telephone, mail, email, or other form of communication that a reasonable person would consider appropriate in the circumstances. In some limited cases, the information can be communicated indirectly (such as a public announcement) where: a direct notification would be likely to cause further harm to the affected individual; a direct notification would be likely to cause undue hardship for the organization; or the organization does not have contact information for the affected individual.
- Notifying organizations: when organizations notify an individual of a breach involving a real risk of significant harm, they must also notify any other government institutions or organizations that they believe can reduce the risk of harm that could result from the breach or mitigate the harm.
- Assessing real risk of significant harm: in order to achieve this goal, organizations must assess two things: one is the sensitivity of the personal information involved in the breach, and the other is the probability that the personal information has been, is being, or will be misused. The guidance provides questions organizations can ask themselves when delving into these factors.
PIPEDA breach report form
This form would be used when reporting breaches of security safeguards to the Privacy Commissioner. The goal is to provide information about the breach and the nature of the information affected, not to provide detailed information regarding names and other identifying details of the affected individuals.
Organizations must report the breach using this form as soon as possible after the breach, even if some of the information is not yet known or confirmed; organizations can always add or correct information as it becomes available. The Privacy Commissioner may also ask for further information from the organization for clarification purposes or to help with mitigation of damaging effects.
Although the Privacy Commissioner has a general duty to maintain confidentiality of breach reports, there are some exceptions to this rule. For example, the Privacy Commissioner may disclose information in a breach report to: domestic and international counterparts in accordance with information-sharing agreements or arrangements; to a government institution if the Commissioner has reasonable grounds to believe that the information could be useful in the investigation of a contravention of the laws of Canada or a province; or to the public where the Commissioner believes it is in the public interest to do so.
The main aspects of the form include:
- Information of the organization: the contact information of the organization involved
- Breach description: the number of individuals affected, when the breach occurred, the type of breach (how it occurred), circumstances of the breach and the cause if known, any security safeguards that were in place at the time of the breach, and a description of the personal information involved (the kind of information, not the actual information)
- Notification: a description of the notification to affected individuals (the dates, the method, and if possible a copy of the notification)
- Risk mitigation: the steps taken by the organization to reduce the risk of harm to the affected individuals or to mitigate that harm, a description of any other organizations and institutions notified about the breach, and any steps taken to reduce the risk of a similar event occurring in the future
As mentioned in the notice of consultation, interested stakeholders can provide feedback until October 2, 2018. Responses may be sent in the form of an email, Word, or PDF document to [email protected] – after this point, final versions of the guidance and reporting form will be published.