PROCESSING...

Finalized Breach of Security Safeguards Regulations

Back in June of 2015, the Digital Privacy Act, received royal assent resulting in amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA). Most amendments came into force at that time, except for the much-anticipated requirements related to breach notification. These requirements will come into force once regulations have been developed and put into place and will affect any organization that collects, uses or discloses personal information in the course of commercial activities.

 On September 2, 2017, a draft of those regulations was published for public comment in the Canada Gazette and on April 18, 2018 the final Breach of Security Safeguards Regulations under PIPEDA were published. The regulations set out prescribed requirements for mandatory breach reporting and will come into force on November 1, 2018.

The objective of the regulations is to:

  • Ensure that all Canadians receive consistent information about data breaches that pose a risk of significant harm to them.
  • Ensure that data breach notifications contain sufficient information to enable individuals to understand the significance and potential impact of the breach.
  • Ensure that the Commissioner receives consistent and comparable information about data breaches that pose a risk of significant harm.
  • Ensure that the Commissioner is able to provide effective oversight and verify that organizations are complying.

The regulations require organizations to report, to the privacy Commissioner, any breach of security safeguards involving personal information under its control if it is reasonable to believe the breach creates a real risk of significant harm. The regulations state that such a report must contain the following:

  • a description of the circumstances of the breach and, if known, the cause;
  • the day or the period in which the breach occurred;
  • a description of the personal information that was involved in the breach;
  • an estimate of the number of individuals impacted – were the breach creates a real risk of significant harm;
  • the steps that the organization has taken to reduce the risk of harm to the impacted individuals;
  • the steps that the organization has taken or will take to notify impacted individuals; and
  • the name and contact information of a person who can answer, on behalf of the organization, the Privacy Commissioner’s questions about the breach.

Organizations that experience such a breach will have also have to do the  following:

  • Determining if the breach poses a “real risk of significant harm” to any individual whose personal information was involved in the breach by conducting a risk assessment;
  • Notifying affected individuals if it is determined that there is a real risk of significant harm. How the notification will take place depends on serval factors such as if contact information of the impacted individuals is known, cost, and if the method chosen to deliver such a notification will cause further harm;
  • Issuing notification that contains:
    • a description of the circumstances of the breach;
    • the day or period during which the breach occurred;
    • a description of the personal information that was involved in the breach;
    • the steps that the organization has taken to reduce the risk of harm to the impacted individuals;
    • the steps that the impacted individuals could take to reduce the risk of harm resulting from the breach;
    • a toll-free number or email address that the impacted individuals can use to obtain further information about the breach; 
    • information about the organization’s internal complaint process and about the individual’s right, under PIPEDA and that they can make a complaint with the Privacy Commissioner;
  • Notifying other organizations or government institution if they believe the they may be able to reduce the risk of harm to the impacted individuals.  (i.e. law enforcement agencies). If this is the case, consent of individuals is not required for such disclosures; and
  • Keeping records of any data breach for a minimum of 24 months.

In determining if there is a “real risk of significant harm”, the assessment of risk conducted must consider factors such as the sensitivity of the personal information involved, whether or not the data was encrypted, whether the personal information was misused, if the information has been recovered, etc. The true risk of such factors may not always be known at the time that the risk assessment is first conducted.  One distinction from the draft regulations is that the final regulations also refer to harm “that could result from the breach” rather than harm “resulting from the breach”. This final wording is more practical than that of the language found in the draft, as potential harms will often be speculative at the time the breach is first discovered.

In reporting “as soon as feasible,” the final regulations allow for an organization to submit new information to the Commissioner after the initial report has been submitted. This is a significant improvement over the draft regulations, since organizations often do not have all information at the time a report is required to be submitted.

We’re Here To Help

If you have questions regarding these new requirements or any questions related to privacy legislation in general, please contact us.

Return to Blog Listing