As we reported last week, Bill S-4, An Act to Amend the Personal Information Protection and Electronic Documents Act and to Make a Consequential Amendment to Another Acthas been wending its way through the Senate and the House of Commons since its introduction in April of 2014, when it was first introduced. As the name states, this legislation amends the Personal Information Protection and Electronic Documents Act (PIPEDA). The consequential amendment is to the Access to Information Act.
The Bill received second reading on June 2nd and should be passed before Parliament rises for the summer.
Yesterday we outlined some of the consent and disclosure requirements of the legislation, as well as new definitions dealing with business contact information. Today we deal with new provisions regarding breaches of security safeguards and standards.
A new Division 1.1 is created, addressing “breaches of security safeguards” in new sections 10.1 through 10.3. The test for reporting a security breach is a “Real Risk of Significant Harm”. This is similar to the test found in the Alberta Personal Information Protection Act (PIPA). “Real Risk of Significant Harm” is defined to “include[s] bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property”. Relevant factors for identifying whether there is a real risk of significant harm in Bill S-4 are:
- the sensitivity of the personal information involved in the breach; and
- the probability that the personal information has been, is being or will be misused”;
- with the possibility of adding “any other prescribed factor”.
The legislation also prescribes the contents, form and timeline for issuing a notification that a breach has occurred:
- The notification must contain “sufficient information” to allow an individual to understand the significance of the breach and to take steps to mitigate or reduce any harm that could result from it;
- Any other “prescribed information” that could be required under regulations;
- The notification must be “conspicuous” and given directly to the individual, provided it is feasible to do so; and
- The notification must be provided “as soon as feasible” after a breach has occurred. A record of any breach must be kept. The requirement is for a record Records of Breaches of every breach of security safeguards involving personal information under an organization’s control. These records must be provided to the Privacy Commissioner on request.New sections 17.1 and 17.2 give the Privacy Commissioner additional powers to enter into enforceable compliance agreements with organizations the Commissioner believes, on reasonable grounds, have contravened or are likely to contravene the provisions of Division 1 or 1.1, or have failed to follow a recommendation as set out in Schedule 1 of the Act. A compliance agreement may contain any terms that the Commissioner considers necessary to ensure compliance with the requirements of PIPEDA.
- Section 14 of is amended to regarding when an applicant can apply to the Federal Court for a hearing after receiving the Commissioner’s report or being notified that the investigation of a complaint has been discontinued. The time frame is extended from 45 days to one year for a complainant to make an application to the Court after a report or notification is sent.
- An organization that notifies an individual of a breach must also notify any other organization or government institution that can reduce the risk or mitigate the harm from the breach. Limited disclosure of the personal information may also be made to such an organization or government institution without the individual’s consent in order to reduce the risk or mitigate the harm resulting from the breach.