On November 1, 2018, approximately 18,000 employers will be required to:
- report breaches of security safeguards involving personal information that pose a real risk of significant harm to individuals;
- notify affected individuals about those breaches; and
- keep records of all breaches involving personal information.
Failing to comply with the foregoing requirements will constitute an offence which may result in a fine of up to $100,000. In the case of notification to individuals, it will be a separate offence for every individual left without notification of the breach.
This blog answers 5 key questions employers have with respect to the new mandatory breach reporting requirements under the Personal Information Protection and Electronic Documents Act (“PIPEDA”).
1. Does PIPEDA apply to our organization’s employee records?
Maybe. PIPEDA applies to personal information about employees of an organization that collects, uses, or discloses the information in connection with the operation of a federal work, undertaking, or business. Only about 18,000 employers and 6% of the Canadian workforce are federally regulated. Some of the most common federally regulated businesses and industries are:
- interprovincial or international trucking, shipping, railways, or other transportation;
- nuclear energy; and
- activities related to maritime navigation and shipping.
2. How do you determine if there is a real risk of significant harm?
Only breaches that pose a “real risk of significant harm” to the affected individuals are reportable.
Significant harm is defined as including bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.
Whether there is a real risk of significant harm must be assessed on the basis of the sensitivity of the personal information involved and the probability that the information will be misused.
If there is a real risk of significant harm, the breach must be reported as soon as feasible to the Office of the Privacy Commissioner of Canada (“OPC”) with the prescribed information.
3. What information needs to be included in a report to the OPC?
The report must be in writing and contain the following information:
- a description of the circumstances of the breach and, if known, the cause;
- the day on which, or the period during which, the breach occurred, or an approximate period if unknown;
- a description of the personal information that is the subject of the breach to the extent that the information is known;
- the number of individuals affected by the breach, or an approximate number if unknown;
- a description of the steps that the employer has taken to reduce the risk of harm to affected individuals that could result from the breach or to mitigate that harm;
- a description of the steps that the employer has taken or intends to take to notify affected individuals of the breach; and
- the name and contact information of a person who can answer, on behalf of the employer, the OPC’s questions about the breach.
The OPC encourages employers to utilize the form of report available here.
4. Who needs to be informed of the reported breach?
If there is a real risk of significant harm to an individual, the employer must notify the individual concerned with the prescribed information as soon as feasible. A notification to an affected individual must contain:
- a description of the circumstances of the breach;
- the day on which the breach occurred, or an approximate period if unknown;
- a description of the personal information that is the subject of the breach;
- a description of the steps the employer took to reduce the risk of harm;
- a description of the steps the individuals can take to reduce the risk of harm; and
- contact information for the individuals to obtain further information about the breach.
Employers must also notify any other government institutions or organizations that it believes can reduce the risk of harm that could result from the breach or mitigate the harm.
5. Which breaches need to be recorded under PIPEDA?
All. Even if the breach is not reportable, employers need to maintain a record of all breaches for at least 24 months. The OPC expects employers to maintain reports of all breaches that contain, at least the following information:
- date or estimated date of the breach;
- general description of the circumstances of the breach;
- nature of information involved in the breach;
- whether or not the breach was reported to the OPC/individuals were notified; and
- sufficient details for the OPC to assess whether the employer has correctly applied the real risk of significant harm standard and otherwise met its obligations to report and notify in respect of breaches that pose a real risk of significant harm.