On September 2, 2017, the Government of Canada published the proposed Breach of Security Safeguards Regulations (“Regulations”). The proposed Regulations provide additional clarity and substance to the mandatory requirements for breaches of security safeguards which were added to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) in June 2015 but have yet to be declared into force. The Government of Canada will be accepting comments on the proposed Regulations until October 2, 2017.
The new breach notification requirements will add significant financial and administrative burdens for organizations handling personal information regulated by PIPEDA, including organizations located outside of Canada which collect, use or disclose personal information about Canadian individuals.
The proposed Regulations apply to a “breach of security safeguards.” This term is defined in PIPEDA as the loss of, unauthorized access to, or unauthorized disclosure of, personal information resulting from a breach of an organization’s security safeguards that are referred to in clause 4.7 of Schedule 1, or alternatively from a failure to establish those safeguards. Practically speaking, a breach of security safeguards will include most, if not all, data breaches. The mandatory breach requirements will only apply to breaches of security safeguards where the organization believes there is a “real risk of significant harm” to an individual. In order to determine whether the breach poses a real risk of significant harm to any individual, an organization must conduct a risk assessment which considers the sensitivity of the information involved and the probability that the information will be misused.
Reporting to the Office of the Privacy Commissioner
Once the PIPEDA mandatory breach notification sections are declared in force, organizations will be required to send a written report to the Office of the Privacy Commissioner once there has been a breach of security safeguard that the organization believes to create a real risk of significant harm to an individual. The Regulations propose that the report must contain: (a) a description of the circumstances of the breach and, if known, the cause; (b) the day on which, or the period during which, the breach occurred; (c) a description of the personal information that is the subject of the breach; (d) an estimate of the number of individuals in respect of whom the breach creates a real risk of significant harm; (e) a description of the steps that the organization has taken either to reduce the risk of harm to each affected individual or to mitigate that harm; (f) a description of the steps that the organization has taken or intends to take to notify each affected individual of the breach in accordance with subsection 10.1(3) of the Act; and (g) the name and contact information of a person who can answer, on behalf of the organization, the Commissioner’s questions about the breach.
Notification to Affected Individuals
PIPEDA will also require that an organization notify individuals in the event of a breach involving the individual’s personal information under the organization’s control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual. Pursuant to PIPEDA, the notification must contain sufficient information to allow the individual to understand the significance to them of the breach and to take steps, if any are possible, to reduce the risk of harm that could result from it or to mitigate that harm. The Regulations propose that affected individuals be provided with the following information: (a) a description of the circumstances of the breach; (b) the day on which, or period during which, the breach occurred; (c) a description of the personal information that is the subject of the breach; (d) a description of the steps that the organization has taken to reduce the risk of harm to the affected individual resulting from the breach or to mitigate that harm; (e) a description of the steps that the affected individual could take to reduce the risk of harm resulting from the breach or to mitigate that harm; (f) a toll-free number or email address that the affected individual can use to obtain further information about the breach; and (g) information about the organization’s internal complaint process and about the affected individual’s right, under PIPEDA, to file a complaint with the Commissioner.
Notification to affected individuals must be given: (a) by email or any other secure form of communication if the affected individual has consented to receiving information from the organization in that manner; (b) by letter delivered to the last known home address of the affected individual; (c) by telephone; or (d) in person. However, the Regulations propose that indirect notification is appropriate in the following circumstances: (a) the giving of direct notification would cause further harm to the affected individual; (b) the cost of giving of direct notification is prohibitive for the organization; (c) the organization does not have contact information for the affected individual or the information that it has is out of date. Indirect notification may be given: (a) by a conspicuous message, posted on the organization’s website for at least 90 days; or (b) by means of an advertisement that is likely to reach the affected individuals.
Record Keeping Requirements
The proposed Regulations impose on organizations to maintain a record of every breach of security safeguards for 24 months after the day on which the organization determines that the breach has occurred. Such records must contain any information pertaining to the breach that enables the Office of the Privacy Commissioner to verify compliance with PIPEDA’s mandatory breach requirements.
Coming Into Force
The proposed Regulations will come into effect at the same time as the statutory requirements pertaining to data breach reporting under PIPEDA. The coming into force of the statutory requirements will be established by a subsequent Order in Council once the Regulations are final.