More than 2 years after passing amendments to the federal privacy sector privacy law, the Federal Government has released draft data breach regulations, bringing mandatory data breach reporting one step closer in most provinces of Canada.
Amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA) that created mandatory data breach notification obligations were passed in June 2015, however these notification provisions were not proclaimed in force, pending finalization of related regulations.
Overall, there is little surprising or novel about the requirements in the proposed Regulations, which largely track existing privacy commissioner guidance and provincial legislative requirements. The Regulations generally provide detail as to the type of information to be included in breach notification reports and notices, provide guidance on the form of notice that will be required, and create a mandated retention period for records respecting data breaches.
Once proclaimed in force, the data breach provisions in PIPEDA will require organizations to report to the Office of the Privacy Commissioner of Canada (OPC) any breaches of security safeguards involving personal information under their control, if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual.
As proposed in the draft Breach of Security Safeguards Regulations, such reports will have to be in writing, and contain certain prescribed information concerning the circumstances of the breach, including the nature and scope of the personal information in question, the number of affected individuals, the mitigation efforts made by the organization and the steps taken to notify affected individuals.
In addition to reporting the breach to the OPC, PIPEDA will similarly require organizations to notify affected individuals of breaches of security safeguards relating to their personal information, assessed against the same threshold that triggers the reporting requirement to the OPC, i.e. a real risk of significant harm to an individual. The draft Regulations would also require that such a notice contain prescribed information, similar to that required in a report to the OPC.
While the law favours direct notification, the draft Regulations also allow for indirect notification in certain circumstances, such as where direct notification would cause further harm to the affected individual, where the organization does not have up-to-date contact information for the individual, or where the cost of providing direct notification would be prohibitive. Direct notice may be provided by email, letter, telephone or in person; whereas, indirect notification may be provided by website messages and advertisements.
The Act also requires organizations to maintain a record of every breach of security safeguards involving personal information under its control – even those with respect to which notification and reporting would not be required. This obligation is intended to enable the OPC, on request, to verify compliance with the security safeguard requirements of the Act. The draft Regulations propose that such records must only be retained for a period of 24 months.
PIPEDA applies to federally regulated works, undertakings and businesses, and to commercial activity in provinces without their own private sector privacy laws. Only 3 provinces have enacted such laws: Alberta, British Columbia and Québec. The Province of Alberta’s Personal Information Protection Act has contained mandatory data breach reporting obligations since 2010. While there is a strong expectation of breach reporting in the Provinces of British Columbia and Québec, there are no current legislative proposals to amend the private sector privacy laws in those provinces to obligate organizations to report data breaches.
Interested parties may file comments concerning the proposed federal Regulations by 2 October 2017. The Government has indicated that, once the Regulations are finalized, both the Regulations and the breach notification provisions of PIPEDA will come into force on a date to be proclaimed; however there will be a delay between the publication of the final regulations and the coming into force date, to enable organizations to gear up for the new obligations.