Amendments to Canada’s federal privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA), are coming into force on November 1, 2018. These amendments impose upon organizations mandatory reporting, notification, and record-keeping requirements in the event of a privacy breach. The new rules are intended to ensure that Canadians receive sufficient information about privacy breaches regarding their personal information, to promote better data security practices by organizations, and to harmonize with the privacy laws in other jurisdictions (most notably with the European Union’s General Data Protection Regulation).
As noted above, the new rules consist of three main elements: reporting, notification, and record-keeping.
The PIPEDA amendments and the related Breach of Security Safeguards Regulations set out the required content, form, and manner of both the OPC report and the notification to an individual. The OPC will also be providing a standard form that parties can use to report breaches.The reporting and notification requirements apply where an organization has suffered a breach of security safeguards involving personal information that creates a “real risk of significant harm” to an individual. Upon such a breach, organizations must (1) report the breach to the Office of the Privacy Commissioner of Canada (OPC) and (2) notify the affected individual(s) of the breach.
In determining whether a given privacy breach triggers the reporting and notification requirements, an organization must determine if the breach creates a real risk of significant harm. “Significant harm” is defined to include bodily harm, humiliation, and damage to reputation or relationships, among other things. Whether or not a real risk of significant harm exists is a contextual determination that involves factors such as the sensitivity of the information involved in the breach and the probability of the personal information being misused.
By contrast, the record-keeping requirement applies to all breaches of security safeguards involving personal information, not only breaches that are material or that create a real risk of significant harm. Under the new rules, organizations must keep records of breaches for a period of two years.
To promote compliance, the amendments set out financial penalties for deliberate violations of the new rules. Persons who knowingly contravene PIPEDA’s breach-reporting, notification, and record-keeping requirements may face fines of up to $100,000 per violation.
The OPC recently published draft guidelines that provide an overview of the new reporting requirements, along with a draft breach reporting form. According to these guidelines, the OPC expects a report from everyone involved in a data breach, not only the accountable entity. For instance, where data collection or processing services are sourced from a third party, who then suffers a privacy breach, both the outsourcer and the service provider are expected to file a report. This may create a significant regulatory burden, particularly where there are multiple outsourcing companies. The OPC has sought feedback on the draft guidelines through a public consultation process, so it remains to be seen what its final position will be. The consultation period ended on October 2, 2018. Final versions of the guidelines and the breach reporting form are expected to be released shortly.
The main takeaway for businesses is the importance of having an effective breach response plan for both legal and reputational purposes. In addition to avoiding potential fines under PIPEDA, businesses will want to limit the damage to stakeholders and the negative publicity associated with a privacy breach. Best practices would be for organizations to (1) review their current processes regarding privacy and collection of personal information, and (2) establish policies and procedures for internal action plans in the event of a privacy breach.
Do you require assistance in this area? If so, contact us here.