On September 2, 2017, the Government of Canada published proposed new regulations (“Regulations”) in the Canada Gazette, which provides an update and sets out details regarding the mandatory data breach reporting requirements (“Data Breach Reporting Requirements”) under the Personal Information Protection and Electronic Documents Act (“PIPEDA”).
On June 18, 2015, the Digital Privacy Act (also known as Bill S-4) amended PIPEDA in a number of areas. One of the key changes was the establishment of mandatory data breach reporting requirements. The Data Breach Reporting Requirements were passed in June, 2015 but are not yet in force.
With the implementation of Division 1.1 of PIPEDA, organizations that experience a data breach will have certain obligations including:
- the organization must determine if the breach poses a “real risk of significant harm” to any individual whose information was involved in the breach by conducting a risk assessment;
- if the organization considers that a breach is posing a real risk of significant harm, it must notify affected individuals and report to the Privacy Commissioner of Canada (the “Commissioner”) as soon as feasible;
- the organization must notify any other organization that may be able to mitigate the harm to affected individuals; and
- the organization must maintain a record of any data breach that it becomes aware of and provide it to the Commissioner upon request.
The proposed Regulations list the categories of information that must be contained in a notification to affected individuals. This approach is intended to provide some certainty to organizations as to what is required, at minimum, to comply with the statutory requirements for notification. At the same time, it provides flexibility on the format, design and means of notification. This allows organizations to conduct notifications in line with established practices and expectations of their stakeholders. The proposed Regulations also identify certain commonly used forms of communication as appropriate means of direct notification to individuals.
Further, the proposed Regulations list the categories of information that must be contained in a report to the Commissioner and affirm that the purpose of data breach record-keeping is to facilitate oversight by the Commissioner and to ensure compliance with requirements, which may encourage better data security practices by organizations.
To this end, the Regulations will require organizations to maintain sufficient information in a data breach record to demonstrate that they are tracking data security incidents that result in a breach of personal information, and require that organizations hold data breach records for a minimum period of time, specifically 24 months. This allows the Commissioner to request and review the history of breaches experienced by a particular organization within a two-year window.
Stay tuned regarding the Data Breach Reporting Requirements coming into force.