As we have written about in previous articles, data breach notification is now mandatory in Canada for the private sector in all jurisdictions where this was not already the case (e.g Alberta under the Personal Information Protection Act).
Data breach reporting obligations in Saskatchewan are influenced by a total of four relevant pieces of legislation, covering both public and private sectors. These laws will not all apply to every potential breach, of course, but it is crucial for organizations to understand that more than one of them may apply depending on the specific circumstances of the data breach:
- The Freedom of Information and Protection of Privacy Act (“FOIP”) applies to Government Institutions, such as ministries, Crown corporations, agencies, boards and commissions.
- The Local Authority Freedom of Information and Protection of Privacy Act (“LA FOIP”) applies to Local Authorities, such as school boards, post-secondary institutions, rural municipalities and regional health authorities.
- The Health Information Protection Act (“HIPA”) applies to wide range of organizations listed under 2(t) of HIPA who have custody or control over Personal Health Information.
- Personal Information Protection and Electronic Documents Act (“PIPEDA”) applies to any organization that collects, uses, or discloses personal information in a “commercial activity.” Saskatchewan does not have “substantially similar” privacy legislation, and, therefore, in Saskatchewan PIPEDA applies to all personal information used, collected, or disclosed in commercial activities and all personal information processed by “federal undertakings,” which then includes personal employee information of those organizations. Personal information of employees in the private sector is not governed by a provincial or federal law.
In Saskatchewan, FOIP, LA FOIP and HIPA are enforced by the Office of the Saskatchewan Information and Privacy Commissioner (“IPC”). PIPEDA is enforced through the Office of the Privacy Commissioner of Canada.
As each Act has its own unique requirements pertaining to notification (which parties to notify), threshold for what constitutes a breach, and timing, organizations must have a keen understanding of which law applies to each type of situation (the type and use of that information during which the breach occurred) in order to maintain compliance.
For example, a Local Authority may be governed by LA FOIP for personal information and HIPA for use of health information but, depending on the particular use of the personal information, may also fall under PIPEDA. Even a hospital may fall under PIPEDA in those circumstances where personal information it is responsible for is used in commercial activities. This is the case because Saskatchewan does not have “substantially similar” legislation to PIPEDA.
A recent case in connection with the tragic Humboldt Broncos bus crash in 2018 highlights the obligations as they pertain to HIPA. A privacy breach occurred when a physician accessed the personal health information of two individuals involved in the crash beyond the “need-to-know” principle. The Commissioner highlights five (consecutive) steps to consider in a breach: 1. contain the breach; 2. notify affected individuals and/or appropriate organizations; 3. investigate the breach; 4. plan for prevention; and 5. write an investigation report.
The steps taken in response to a breach under PIPEDA would not necessarily be the same. For example, notification of the Commissioner is not optional. This means that an organization may not be able to follow a single protocol, but instead may require a more tailored or nuanced approach.
After containing the data breach, it is important to carefully but swiftly analyze potential obligations under relevant legislation (e.g. what were the circumstances of the breach, what types of information was compromised etc.), as well as considering the IPC’s (and public’s) expectations in this regard. Fully understanding which legislation applies to your organization is a key way to mitigating privacy risk. Importantly, PIPEDA places obligations on organizations to keep records of breaches, even where those breaches do not meet the notification threshold under the Act.