The much anticipated “breach of security safeguards” provisions in the Digital Privacy Act are set to come into force November 1, 2018, pursuant to an Order in Council. The provisions set to come into force are summarized below.
Additional requirements are set out in the draft Breach of Security Safeguards Regulations.
Section 10 – Mandatory Report and Notification
Report to Commissioner: Sections 10.1 (1) and (2) set out the requirement for an organization to report to the Commissioner any breach of security safeguards involving personal information under its control “if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual”. Such report is to contain information prescribed in the draft Regulations and be made “as soon as feasible after the organization determines that the breach has occurred.
Notification of Individuals: Sections 10.1 (3) to (8) requires that an organization notify an individual of any breach of security safeguards involving the individual’s personal information under the organization’s control if it is reasonable in the circumstances to believe that the breach creates a “real risk of significant harm” to the individual. This notification is to contain sufficient information to allow the individual to understand the significance to them of the breach and to take steps, if any are possible, to reduce the risk of harm that could result from it or to mitigate that harm. It shall also contain any other prescribed information.
For the purpose of this section, “significant harm” includes “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.”
The factors that are relevant to determining whether a breach of security safeguards creates a “real risk” of significant harm to the individual include:
(a) the sensitivity of the personal information involved in the breach;
(b) the probability that the personal information has been, is being or will be misused; and
(c) any other prescribed factor.
Notification to Organizations: Section 10.2 requires that an organization that notifies an individual of a breach of security safeguards must also notify any other organization, a government institution or a part of a government institution of the breach “if the notifying organization believes that the other organization or the government institution or part concerned may be able to reduce the risk of harm that could result from it or mitigate that harm”.
Record-keeping Obligations: Section 10.3(1) requires an organization to keep and maintain a record of “every breach of security safeguards involving personal information under its control”. Subsection (2) require an organization, on request, to provide the Commissioner with access to, or a copy of, a record.
Section 11 – Complaints and Investigations of Breaches
This section allows an individual to file with the Commissioner a written complaint against an organization for contravening the new provisions above, and for the Commissioner to investigate such violations. It also empowers the Commission to investigate matters covered by compliance agreements (see below).
Section 14 – Right to Apply to Court for a Hearing
The amendments to this section allow an individual who has filed a complaint with the Commissioner, upon resolution of that complaint, to apply to a court to seek damages or other remedies. The amendments expand this right to now include violations of Section 10, the security safeguards section, as well as other sections. The time to make such application has been extended from 45 days to one year.
Subsections 17(1) and (4) – Compliance Agreements
These subsections create the ability for the Commissioner to enter into compliance agreements with organizations. If the Commissioner believes on reasonable grounds that an organization “has committed, is about to commit or is likely to commit” an act or omission that could constitute a contravention of a provision of Division 1 or the new security safeguards section, or a failure to follow a recommendation set out in Schedule 1, the Commissioner may enter into a compliance agreement, with that organization. A compliance agreement does not preclude: (a) an individual from applying for a hearing under section 14; or (b) the prosecution of an offence under the Act.
Section 19 – Confidentiality and Disclosure in the Public Interest
This section expands the confidentiality obligations of the Commissioner to include reports and records obtained under the new record-keeping requirements in section 10.3. However, it also broadens the ability of the Commissioner to make public “any information that comes to his or her knowledge” if the Commissioner believes it “to be in the public interest to do so.”
The Commissioner may now also disclose to a government institution or a part of a government institution, any information contained in a breach report made under subsection 10.1(1) or in a record obtained under subsection 10.3(2) if the Commissioner “has reasonable grounds to believe that the information could be useful in the investigation of a contravention of the laws of Canada or a province that has been, is being or is about to be committed.”
Section 22 to 25 – Other Provisions
Amendments to these sections preclude the commencement of an action in defamation against the Commissioner, change slightly the preparation of the Commissioner’s annual report, and expand the ability of the Governor-in-Council to make regulations in respect of the record-keeping provisions.
Key Take Aways
Organizations which have been delayed implementing record-keeping policies and processes, or breach notification processes, are now officially running out of time to do so.