On March 4, 2016, Innovation, Science and Economic Development Canada published its Consultation Paper on “Data Breach Notification and Reporting Regulations”, inviting public comment on the mandatory breach notification requirements which will be added as regulations under PIPEDA. Interested stakeholders have until May 31, 2016 to provide written comments and responses. The full text of the Consultation Paper is available at: http://www.ic.gc.ca/eic/site/smt-gst.nsf/eng/sf11177.html
Background: Enactment of the Digital Privacy Act
The Digital Privacy Act, which made a number of important amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA), came into force on June 18, 2015. For a detailed overview of the changes to PIPEDA, please see our previous blog post on Bringing Privacy Into the “Digital Age”.
One of the key amendments introduced by the Digital Privacy Act was the concept of mandatory breach notification obligations for organizations that have experienced a breach of security safeguards involving personal information under their control.
What Do Mandatory Breach Notification Obligations Mean?
The mandatory breach notification obligations mean that in the event of a “breach of security safeguards”, organizations will have five key data breach obligations outlined under the Digital Privacy Act, as follows:
- Risk Assessment: Determine if the breach poses “a real risk of significant harm” to any individual whose personal information was involved in the breach;
- Notices to Individuals: Notify individuals as soon as feasible of any breach that poses a “real risk of significant harm”;
- Reports to OPC: Report any data breach that poses “a real risk of significant harm” to the Office of the Privacy Commissioner of Canada, as soon as feasible;
- Notices to Third Parties: Where appropriate, notify any third party that the organization experiencing the breach believes is in a position to mitigate the risk of harm; and
- Record Keeping: Maintain a record of the data breach and make those records available to the Office of the Privacy Commissioner of Canada upon request.
A “breach of security safeguards” is defined as “the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards that are referred to in Clause 4.7 of Schedule 1 [to PIPEDA] or from a failure to establish those safeguards.” Clause 4.7 requires organizations to protect personal information using safeguards that are proportional to the sensitivity of the personal information.
Organizations will need to assess breaches on a case-by-case basis to determine if breach notifications are required. This determination is based on various factors outlined in PIPEDA, including the sensitivity of the personal information involved and the probability that the information has been, is being, or will be misused.
The amendments also create offences and significant penalties for failure to comply with breach notification obligations.
The new data breach requirements under PIPEDA will come into force once the federal government passes regulations, which will provide greater clarity and specificity of the requirements under the Digital Privacy Act.
Accordingly, organizations will need to be prepared to implement the concept of breach notifications into their existing privacy policies and practices in order to ensure that they are appropriately prepared when these obligations come into effect.
What is the Purpose of the Consultations?
The purpose of the Consultation Paper is to solicit stakeholder input and views on the key aspects of mandatory breach notification; the comments received will be taken into consideration in the preparation of the draft PIPEDA regulations.
In the Consultation Paper, the federal government has reviewed and outlined the key aspects of the approaches taken to mandatory breach notification in other jurisdictions, including Alberta, the United States and the European Union, and has set out a number of questions relating to each aspect.
The questions posed by the government include the following:
- Risk Assessment: Whether additional factors in assessing the “real risk of significant harm” should be specified in the regulations as mandatory considerations in the risk assessment.
- Notices to Individuals: What the scope and content of the breach notifications to individuals should include and whether organizations should, in certain circumstances, be able to provide notice indirectly (i.e. through posts on the organization’s website).
- Reports to OPC: What the scope and content of mandatory notifications to the Office of the Privacy Commissioner of Canada should include (including what information should be mandatory, whether reporting should be done in multiple stages, etc.) and how these notifications should be delivered.
- Notices to Third Parties: Whether the specific circumstances where reporting to third parties is required should be specified in the regulations.
- Record Keeping: What records should organizations be required to keep regarding data breaches, and whether the regulations should specify a retention period for such records.
It is recommended that all organizations that are subject to PIPEDA review the Consultation Paper in order to be aware of the data breach obligations and the issues being reviewed by the government. This will allow your organization to be better prepared to update its privacy policies and practices to reflect the data breach regulations, once in force.
Where Do I Send My Comments?
Written comments are to be submitted by no later than May 31, 2016 to: firstname.lastname@example.org (Microsoft Word or Adobe PDF format) or by hard-copy to: Data Breach Consultations, Privacy and Data Protection Directorate, Innovation, Science and Economic Development Canada, 235 Queen Street, Ottawa, Ontario K1A 0H5.