Innovations, Science and Economic Development Canada has issued a consultation paper asking Canadians what should be included in new data breach regulations that will be made under the Personal Information Protection and Electronic Documents Act (PIPEDA). The consultation will close on May 31, 2016. Following this consultation process, the Canadian Government will publish draft regulations for public comment and further consultation. It is unlikely, therefore, that we would see breach reporting come into force in Canada before the last quarter of the year.
Why are regulations required?
Canada’s Parliament enacted the Digital Privacy Act in 2015. The Act included amendments to PIPEDA that will introduce new provisions relating to breaches of security safeguards. These provisions include mandatory breach reporting to the Office of the Privacy Commissioner of Canada (OPC) and to individuals and, in some cases, third parties. The provisions also contain controversial record-keeping requirements. These new data breach provisions will not come into force until the Government passes regulations regarding the form and content of the required notices. The Government may also supplement certain provisions in the legislation by way of regulation.
What are the key data breach obligations?
Once the amendments to PIPEDA come into force, organizations will have four new obligations regarding data breaches:
- Organizations will need to keep records of breaches of security safeguards;
- Organizations will be required to report a breach of security safeguards to the OPC if it is reasonable to believe that the breach creates a real risk of significant harm to an individual.
- Organizations will be required to notify affected individuals about a breach that it is reasonable to believe creates a real risk of significant harm to the individual.
- Organizations will be obligated to notify third parties if the third party could mitigate the risk of harm to the affected individual.
A “breach of security safeguards” is defined as “the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s safeguards that are referred to in Clause 4.7 of Schedule 1 or from a failure to establish those safeguards.” Clause 4.7 of Schedule 1 of PIPEDA is the principle that requires an organization to protect personal information by physical, organizational, and technological measures that are proportional to the sensitivity of the personal information.
What is the consultation about?
The consultation relates to five key issues.
- Record keeping: The Government wants to know what records organizations should be required to keep and for how long.
- Risk assessment: The Digital Privacy Act provides that an organization assessing whether there is a “real risk” of significant harm should consider the sensitivity of the personal information involved in the breach, the probability that it will be misused and other factors that could be prescribed by regulation. The Government wants to know whether further factors should be specified and whether the risk of harm should be presumed to be low for data that was encrypted.
- Reports to the OPC: The Government has asked what should be included in reports to the OPC about a breach of safeguards that poses a real risk of significant harm to the individual. The Government has asked whether reports should be made through an electronic secure tool developed by the OPC.
- Notices to Individuals: The Government is considering a number of issues relating to individual notices. What should the content of the notices be? How much detail should be required? How should notices be delivered? Do the notices need to be separate from other communications by the organization? When should organizations be able to give notice indirectly, such as through posts on the organization’s website?
- Notices to Third Parties: The Government is mindful that third-parties such as law enforcement and consumer (credit) reporting agencies have a role to play in the protection of individuals from fraud and identity theft. The Government is asking whether there are circumstances that should be enumerated where reporting to third parties should be required.
What about the Province of Alberta’s regime?
The Government acknowledged that the Alberta regime for mandatory breach reporting has been in place for several years and that lessons could be learned from that province’s approach. However, the Government does not seem to be focused on ensuring that there is a harmonized system. It is possible, therefore, that we could see different types of reports and notices being required under PIPEDA than under Alberta’s law.