Part I: Is Your Business Ready for Mandatory Privacy Breach Reporting?
[Editor’s Note: A version of this blog previously appeared on David Fraser’s Blog. This blog has been edited to appear in 5 parts]
In September, proposed changes to the Canadian privacy breach notification that will be required by law were published in the Canada Gazette. The Digital Privacy Act amended the Personal Information Protection and Electronic Documents Act (PIPEDA) for Canada to add notification requirements for “breaches of security safeguards”, but we’ve all been anxiously awaiting regulations that will breathe life into the provisions.
The text (below) and the Regulatory Impact Analysis Statement do not really contain any surprises, other than a silly requirement that you can only give notice of a breach by email if “the affected individual has consented to receiving information from the organization in that manner.” This seems to be a silly nod to Canada’s asinine anti-spam law, which would otherwise permit such notices by email.
Here is the regulatory impact analysis statement. You can get the proposed regulation from the
Statutory authority – Personal Information Protection and Electronic Documents Act
Sponsoring department – Department of Industry
REGULATORY IMPACT ANALYSIS STATEMENT
(This statement is not part of the Regulations.)
On June 18, 2015, the Digital Privacy Act (also known as Bill S-4) amended Canada’s private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA or the Act), in a number of areas. A key change was the establishment of mandatory data breach reporting requirements.
These new provisions are set out in Division 1.1 of PIPEDA, but are not yet in force. The proposed Regulations provide further details pertaining to certain statutory requirements, and prescribe the process for the coming into force of the Regulations.
PIPEDA applies to the collection, use or disclosure of personal information by every organization in the course of a commercial activity. A commercial activity is defined as any particular transaction, act, or conduct, or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or fundraising lists.
The federal government may exempt from PIPEDA organizations and/or activities in provinces that have adopted substantially similar privacy legislation. To date, Quebec, British Columbia and Alberta have adopted private sector legislation deemed substantially similar to PIPEDA. Further, Ontario, New Brunswick, Newfoundland and Labrador, and Nova Scotia have adopted substantially similar legislation with respect to personal health information.
Even in those provinces that have adopted legislation substantially similar to the federal privacy legislation, PIPEDA continues to apply to all interprovincial and international transactions by all organizations subject to the Act in the course of their commercial activities.
PIPEDA also continues to apply in those provinces to federally regulated organizations — “federal works, undertakings or businesses” — such as banks, and telecommunications and transportation companies.
The purpose of PIPEDA is to facilitate growth in electronic commerce through increasing the confidence of Canadians and businesses in the digital economy. The Act employs a principles-based approach that balances the privacy rights of individuals with the legitimate needs of business to use or exchange information.
Mandatory data breach reporting under PIPEDA
With the implementation of Division 1.1 of PIPEDA, organizations that experience a data breach — referred to in the Act as a “breach of security safeguards” — will have certain obligations, as follows:
- The organization must determine if the breach poses a “real risk of significant harm” to any individual whose information was involved in the breach (“affected individuals”) by conducting a risk assessment. The assessment of risk must consider the sensitivity of the information involved, and the probability that the information will be misused;
- When the organization considers that a breach is posing a real risk of significant harm, it must notify affected individuals and report to the Privacy Commissioner of Canada (the Commissioner) as soon as feasible;
- The organization must notify any other organization that may be able to mitigate harm to affected individuals; and
- The organization must maintain a record of any data breach that the organization becomes aware of and provide it to the Commissioner upon request.
Subsection 26(1)(c) of PIPEDA provides the Governor in Council with the authority to make any regulations that are required under the Act. The objective of this regulatory proposal is to provide greater certainty and specificity with respect to certain elements of the Act’s data breach reporting requirements under Division 1.1.
The objectives of the proposed Regulations are to:
- Ensure that all Canadians will receive consistent information about data breaches that pose a risk of significant harm to them.
- Ensure that data breach notifications contain sufficient information to enable individuals to understand the significance and potential impact of the breach.
- Ensure that the Commissioner receives consistent and comparable information about data breaches that pose a risk of significant harm.
- Ensure that the Commissioner is able to provide effective oversight and verify that organizations are complying with the requirements to notify affected individuals of a data breach and to report the breach to the Commissioner.
Description and rationale
With regard to the statutory requirements for data breach reporting under Division 1.1 of PIPEDA, the proposed Regulations will:
- specify the minimum requirements for providing a data breach report to the Commissioner;
- specify the minimum requirements for notifying affected individuals of a data breach; and
- confirm the scope and retention period for data breach record-keeping.
Recognizing the vast range of organizations that are subject to PIPEDA, the proposed Regulations are designed to provide maximum flexibility for organizations to fulfill their statutory obligations in a manner that is compatible with their particular circumstances.
For more information on mandatory breach notification, check out David’s blog.
For information on how you can help mitigate data breaches and protecting your business against up to 80% of common internet threats, learn about Cyber Essentials Canada
Be sure to check out Part 2 of David’s guest post data breach record keeping and notification of affected individuals.