*Updated October 30, 2018.
By Cristina Onosé, Director, Government Relations at CMA
It’s been three years since breach notification requirements were incorporated into Canada’s privacy law. The amendments to the Personal Information and Electronic Documents Act (PIPEDA) provided by the Digital Privacy Act in 2015 required the government to develop breach regulations to ensure that organizations report any data breaches deemed to pose a “significant risk of harm” to both individuals and to the Privacy Commissioner. The inclusion of mandatory breach reporting provisions in the law is largely supported by Canadian businesses.
The regulations go into force on November 1, 2018. The final Regulations are not substantively different from the draft regulations released last year, but they do include a number of revisions that generally provide more flexibility to organizations. Organizations that experience a data breach — referred to in the Act as a “breach of security safeguards” — will be required to:
- Determine if the breach poses a “real risk of significant harm” to any individual whose information was involved in the breach (“affected individuals”) by conducting a risk assessment. The assessment of risk must consider the sensitivity of the information involved, and the probability that the information will be misused;
- Notify affected individuals and report to the Privacy Commissioner of Canada as soon as feasible, if the breach poses a real risk of significant harm;
- Notify any other organization that may be able to mitigate harm to affected individuals;
- Maintain a record of any data breach that you become aware of and provide it to the Commissioner upon request.
What is Risk of Harm?
The term “significant harm” includes a wide-range of harms, including: bodily harm, financial loss, identity theft, negative impact on credit records, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, and damage to or loss of property.
The factors that are relevant to determining whether a breach of security safeguards creates a real risk of significant harm to the individual include:
- the sensitivity of the personal information involved in the breach; and
- the probability that the personal information has been, is being, or will be, misused.
Notifying the Commissioner
The Regulations list the categories of information that must be contained in a report to the Commissioner:
- Description of circumstances of the breach;
- Day/period when breach occurred;
- Description of personal information breached;
- Number of individuals affected;
- Steps taken to reduce risk of harm that could result from breach;
- Steps taken to notify individuals; and
- Name and contact information of a person who can answer Commissioner’s questions.
Data breach reports can be submitted to the Commissioner with the best information available to the organization at the time. This allows an organization to report breaches within an appropriate time frame, even when all information is not yet available. Organizations can provide updates to the Commissioner at a later date as further information becomes available.
Notifying affected individuals
The following information must be contained in a notification to affected individuals (additional information can be included as determined by the organization):
- A description of the circumstances of the breach;
- Day/period when breach occurred;
- Description of the personal information that is the subject of the breach;
- Steps that the organization has taken to reduce the risk of harm to the affected individual resulting from the breach or to mitigate that harm;
- Steps that the affected individual could take to reduce the risk of harm resulting from the breach or to mitigate that harm; and
- Contact information that the affected individual can use to obtain further information about the breach.
The Regulations recognize that both direct and indirect notification to individuals can occur, depending on the circumstances. While organizations should try to directly notify consumers in most cases, there are situations where direct notification to all individuals affected by a breach may be impossible or unfeasible for the breached organization or may cause further harm to affected individuals.
What else do you need to do?
In addition to the notification requirements, organizations also have an obligation to maintain sufficient information in a data breach record to demonstrate that they are tracking data security incidents that result in a breach of personal information.
There is no threshold of materiality for this requirement, meaning that all breaches of personal information require that record be kept. For many businesses, this new requirement may be difficult.
Organizations must hold these data breach records for a minimum of 24 months. This is intended to be a minimum requirement so that organization can keep the records for a longer period of time to meet other obligations and business requirements.
The Privacy Commissioner’s office has released breach guidance to help organizations comply. The guidelines clarify reporting responsibilities and offer guidance on determining significant risk of harm that would lead to notification to individuals and to the Commissioner.