On September 2, 2017, the proposed regulations under the Personal Information Protection and Electronic Documents Act (PIPEDA) were published in Part I of the Canada Gazette and interested stakeholders were invited to provide comments to the Director of the Privacy and Data Protection Directorate within 30 days. The proposed Breach of Security Safeguards Regulations (Regulations) provide further details regarding the implementation of recent changes to mandatory data breach reporting requirements pursuant to the Digital Privacy Act (set out in Division 1.1 of PIPEDA).
It is important to note that, although most of the changes contained in the Digital Privacy Act came into force on Royal Assent in June 2015, the mandatory reporting provisions included in Division 1.1 of PIPEDA are not yet in force because they require regulations establishing the notification process for situations where privacy breaches result in “a real risk of significant harm”. To that end, the goal is to have the Regulations come into effect at the same time as the statutory requirements pertaining to data breach reporting under Division 1.1 of PIPEDA.
However, these changes will not take place instantly –– the mandatory data breach reporting requirements set out in the Digital Privacy Act will be established through a subsequent Order in Council once the Regulations are final, and they will allow for a delayed coming into force after they are published in order to provide organizations with some time to respond and adjust their policies and procedures to ensure that systems are in place to address any applicable breaches.
What were the changes made under the Digital Privacy Act in June 2015?
In a nutshell, the mandatory data breach reporting requirements in the Digital Privacy Act require organizations to take certain actions once they experience a data breach, known as a “breach of security safeguards”. Section 2.1 of PIPEDA defines a “breach of security safeguards” as the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards that are referred to in clause 4.7 of Schedule 1 (this deals with Principle 7 involving security safeguards) or from a failure to establish those safeguards.
When faced with a breach of security safeguards, organizations are obligated to report to the Office of the Privacy Commissioner, notify affected individuals, and inform any relevant third parties where the breach poses “a real risk of significant harm”. Organizations must also notify any other organization or government institution in order to reduce the risk of harm. According to the Office of the Privacy Commissioner, “significant harm” includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss and identity theft among others. Factors that organizations must consider when assessing the presence of a real risk of significant harm include the sensitivity of the information involved and probability that the information was or will be misused, or any other prescribed factor.
These notification requirements must be met as soon as possible following the breach. Moreover, organizations must keep an accurate record of all breaches and be ready to provide a copy of the record to the Office of the Privacy Commissioner if required.
Until the provisions come into force, breach reporting is voluntary. More detailed requirements regarding the reporting are found in the Regulations.
What is required under the proposed Regulations?
The main purposes of the Regulations are to: ensure that all Canadians will receive consistent information about data breaches that pose a risk of significant harm to them; ensure that data breach notifications contain sufficient information to enable individuals to understand the significance and potential impact of the breach; ensure that the Privacy Commissioner receives consistent and comparable information about data breaches that pose a risk of significant harm; and ensure that the Privacy Commissioner is able to provide effective oversight and verify that organizations are complying with the requirements to notify affected individuals of a data breach and to report the breach to the Privacy Commissioner.
In order to accomplish these goals, the Regulations specify the minimum requirements for providing a data breach report to the Privacy Commissioner, the minimum requirements for notifying affected individuals of a data breach, and the scope and retention period for data breach record-keeping.
More specifically, address the following:
- Data breach report to Privacy Commissioner: the Regulations list the categories of information that must be contained in the report to the Commissioner, without precluding any additional information from being provided where the organization believes it is pertinent for understanding the incident. Moreover, they allow for data breach reports to be submitted with the best information available to the reporting organization at the time to allow organizations to report within the proper time frame even if all of the information is not yet available. Organizations may provide updates to the report at a later date if further pertinent information becomes available. The report must be in writing and contain: (a) a description of the circumstances of the breach and, if known, the cause; (b) the day on which, or the period during which, the breach occurred; (c) a description of the personal information that is the subject of the breach; (d) an estimate of the number of individuals in respect of whom the breach creates a real risk of significant harm; (e) a description of the steps that the organization has taken to reduce the risk of harm to each affected individual resulting from the breach or to mitigate that harm; (f) a description of the steps that the organization has taken or intends to take to notify each affected individual of the breach in accordance with subsection 10.1(3) of the Act; and (g) the name and contact information of a person who can answer, on behalf of the organization, the Commissioner’s questions about the breach.
- Notification to affected individuals: the Regulations list the categories of information that must be included in the notification to affected individuals, without precluding any additional information that may be relevant. The notification must contain: (a) a description of the circumstances of the breach; (b) the day on which, or period during which, the breach occurred; (c) a description of the personal information that is the subject of the breach; (d) a description of the steps that the organization has taken to reduce the risk of harm to the affected individual resulting from the breach or to mitigate that harm; (e) a description of the steps that the affected individual could take to reduce the risk of harm resulting from the breach or to mitigate that harm; (f) a toll-free number or email address that the affected individual can use to obtain further information about the breach; and (g) information about the organization’s internal complaint process and about the affected individual’s right, under the Act, to file a complaint with the Commissioner. Furthermore, the Regulations take into consideration various forms of communication including direct versus indirect notification and stipulate what is permitted. For example, direct notification is to be given to the affected individual: (a) by email or any other secure form of communication if the affected individual has consented to receiving information from the organization in that manner; (b) by letter delivered to the last known home address of the affected individual; (c) by telephone; or (d) in person. Additionally, indirect notification is to be given to the affected individual by an organization in any of the following circumstances: (a) the giving of direct notification would cause further harm to the affected individual; (b) the cost of giving of direct notification is prohibitive for the organization; (c) the organization does not have contact information for the affected individual or the information that it has is out of date. This can be done by a conspicuous message posted on the organization’s website for at least 90 days or by means of an advertisement that is likely to reach the affected individuals.
- Data breach record-keeping: the Regulations require organizations to maintain sufficient information in a data breach record to show that they are tracking data security incident resulting in a breach of personal information. The term, “record”, is defined broadly in order to provide protection for any material regardless of medium or form. The minimum time period for retaining data breach records is 24 months. Within this time period, organizations must be ready to provide the information to the Privacy Commissioner on request.
When do these changes come into force?
The Regulations come into force on the day on which section 10 of the Digital Privacy Act comes into force, but if they are registered after that day, they come into force on the day on which they are registered.
As mentioned above, the Regulations allow for a delayed coming into force after publication to give organizations time to respond accordingly.
Takeaway for organizations
Organizations that have control over an individual’s personal information are recommended to become familiar with the above requirements so that they are prepared to respond to the changes. This means that organizations must ensure they have established policies and procedures for tracking and reporting data breaches in accordance with the requirements mentioned above. One way to start is to analyze existing privacy policies and ensure that there is a data breach notification system in place.
In addition to creating the required privacy policies and procedures, it is necessary for organizations to train any employees on the policies and procedures involving the data breach notification system. Organizations are recommended to ensure that employees understand the system that has been created and how to internally report a data breach in accordance with the new system.
Not only are these requirements important to meet to ensure the organization is using best practices, but they are also required to be met in order to avoid the imposition of fines for offenses committed under the Digital Privacy Act. In fact, breaches for noncompliance (knowingly failing to report or notify affected individuals, or knowingly failing to maintain proper records) could lead to the imposition of fines up to $100,000.