November 23, 2018
By Amanda Branch
On November 1, 2018, the mandatory breach notification requirements came in to force.
Under the legislation, if an organization suffers a breach of security safeguards that gives rise to a “real risk of significant harm”, the organization must (i) report the incident to the Office of the Privacy Commissioner of Canada (the “OPC”); (ii) notify affected individuals; and (iii) notify any other third party organizations or government institutions that are in a position to mitigate the risk of harm to affected individuals. These notifications must be made as soon as feasible after the organization determines that the breach has occurred.
The OPC recently released its breach guidance, “What you need to know about mandatory reporting of breaches of security safeguards” (the “Guidelines”) which will help businesses better understand their obligations.
Penalties. Failure to report a breach or to maintain required records is an offence under PIPEDA and non-compliance is punishable by a fine of up to $100,000.
Who should report. Generally speaking, the organization that is in control of the personal information involved in the breach must report the breach to the OPC.
What to report. An organization must report to the OPC a breach of security safeguards involving personal information under its control if it is reasonable in the circumstances to believe the breach creates a real risk of significant harm to the individual. Organizations are not expected to report all breaches (but recall, organizations are required to keep a record of all breaches).
Determining whether there is a “real risk of significant harm” should be based on an assessment of the sensitivity of the personal information involved in the breach and the probability the personal information has been/is/will be misused. Under the legislation, “significant harm” is defined to include humiliation, damage to reputation or relationships, loss of employment or other opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.
When to report. The breach should be reported to the OPC as soon as feasible after the organization determines a breach has occurred, even if not all information is known or confirmed. Organizations can update the form if/when they become aware of new information.
When to notify. Unless otherwise prohibited by law, if an organization determines that a breach poses a real risk of significant harm to an individual, the organization must notify the affected individual and must include:
The notification must be given as soon as feasible after the organization determines a breach has occurred.
How to notify. Generally speaking, the notification must be conspicuous and given directly to the individual (except in circumstances set out in the regulations where indirect notification is allowed).
Businesses will also be required to maintain records of all data breach incidents for a minimum of 24 months (irrespective of whether the business concludes the breach gives rise to a real risk of significant harm to affected individuals). The Commissioner may request and review the history of breaches experienced by a particular business within the prior 24-month window. Records must contain sufficient information to permit the Commissioner to verify compliance with the breach reporting regime and the Guidelines state that, at a minimum, a record should include:
By way of background, in 2015 the Digital Privacy Act introduced significant amendments to PIPEDA, including the creation of mandatory data breach reporting and record keeping requirements. In April 2018, the federal government published the Breach of Security Safeguard Regulations which set out the requirements for the new mandatory reporting regime. These regulations came in to force on November 1, 2018.
This article was first published in the IICIE blog https://www.iicie.com/users/blog.php?blgId=MTEx
Information on this website is for information only. It is not, and should not be taken as, legal advice. You should not rely on, or take or not take any action, based upon this information. Professional legal advice should be promptly obtained. Bereskin & Parr LLP professionals will be pleased to advise you.