The Canadian federal government released the proposed Breach of Security Safeguards Regulations under Personal Information Protection and Electronic Documents Act (PIPEDA) on September 2, 2017.

Not yet in force, these Regulations set out the:

  1. content, form and manner of a report to the Commissioner of a breach under PIPEDA;
  2. content of notification to affected individuals;
  3. manner of direct notification;
  4. circumstances permitting indirect notification;
  5. manner of indirect notification; and
  6. record-keeping requirements.

Introduction

PIPEDA currently defines "breach of security safeguards" as a loss or unauthorized access or disclosure of personal information that results from either the breach of an organization's security safeguards, or an organization's failure to establish these safeguards.

PIPEDA and the proposed Regulations will require that organizations report to both the Commissioner and the individual in question where it is reasonable in the circumstances to believe that the breach creates a "real risk of significant harm" to an individual. PIPEDA sets out the factors relevant to consider in determining whether there is a "real risk of significant harm", and what constitutes "significant harm" as including the sensitivity of the personal information involved in the breach, the probability that the personal information has been, is being, or will be misused, and other factors identified by regulation. PIPEDA also provides that the notification shall be given as soon as feasible after the organization determines that the breach has occurred.

Organizations must also notify other organizations and governmental institutions if such organizations or institutions may be able to mitigate harm.

These and other obligations are backed up by compliance and enforcement measures, including the Commissioner's ability to enter into "compliance agreements" with organizations, and to apply to the Court for an order directing an organization to comply.

Content, Form, and Manner of a Report

The proposed Regulations state that any report to the Commissioner must contain:

  1. a description of the circumstances and cause of the breach;
  2. the date or period of the breach;
  3. a description of the personal information that is the subject of the breach;
  4. an estimate of how many people are exposed to a "real risk of significant harm";
  5. a description of what the organization has done to reduce and mitigate harm;
  6. a description of what the organization has or intends to do to notify each affected individual; and
  7. contact information of a person who can answer the Commissioner's questions about the breach.

Content and Manner of a Notification

Similarly, the proposed Regulations will require that the notification to an affected individual contain:

  1. a description of the circumstances of the breach;
  2. the date or period of the breach;
  3. a description of the personal information that is the subject of the breach;
  4. a description of what the organization has done to reduce and mitigate harm;
  5. a description of what the affected individual could do to reduce and mitigate harm;
  6. a toll-free number or email address that the affected individual can use to obtain further information about the breach; and
  7. information about the organization's internal complaint process and about the affected individual's right, under PIPEDA, to file a complaint with the Commissioner.

The proposed Regulations also provide, among other things, details regarding the manner in which organizations can directly notify affected individuals, and when organizations can rely on indirect notification.

Record-Keeping Requirements

Finally, organizations will, if the Regulations come into force, be required to maintain a record of every breach of security safeguards for 24 months after the day on which the organization determines that the breach has occurred.

The federal government will be collecting feedback on the draft Regulations until October 2, 2017. The final Regulations are expected to come into effect after the government has considered such feedback. In the interim, the draft Regulations give some much-awaited clarity with respect to the breach notification requirements contemplated by the federal government under PIPEDA.