Anti-Money Laundering
Consulting Services & Strategies

0 Items - Total: $0.00 CAD

Mandatory Breach Reporting under PIPEDA

Back in late 2017 we published an article on breach reportingOn November 1, 2018, the new provisions to the Personal Information Protection and Electronic Documents Act (PIPEDA) related to breach of security safeguards along with the Breach of Security Safeguards Regulations came into force.

The regulations require organizations to report to the Office of the Privacy Commissioner (OPC) and affected individuals, any breach of security safeguards involving personal information under its control, if it is reasonable to believe the breach creates a “real risk of significant harm”. Failure to report a breach is punishable by a fine of up to CAD 100,000.

On October 29, 2018, the OPC published the final guidance intended to assist organizations with the Breach of Security Safeguards Regulations. The guidance provides direction on how organizations can assess whether a breach creates a “real risk of significant harm” (the guidance provides a non-exhaustive list of the types of harm that will be considered significant) and provides a breach report form that organizations may use to report a breach to the OPC.

We’re Here To Help

If you have questions regarding how your organization will be impacted by these requirements, or any questions related to privacy legislation in general, please contact us.

Finalized Breach of Security Safeguards Regulations

Back in June of 2015, the Digital Privacy Act, received royal assent resulting in amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA). Most amendments came into force at that time, except for the much-anticipated requirements related to breach notification. These requirements will come into force once regulations have been developed and put into place and will affect any organization that collects, uses or discloses personal information in the course of commercial activities.

 On September 2, 2017, a draft of those regulations was published for public comment in the Canada Gazette and on April 18, 2018 the final Breach of Security Safeguards Regulations under PIPEDA were published. The regulations set out prescribed requirements for mandatory breach reporting and will come into force on November 1, 2018.

The objective of the regulations is to:

  • Ensure that all Canadians receive consistent information about data breaches that pose a risk of significant harm to them.
  • Ensure that data breach notifications contain sufficient information to enable individuals to understand the significance and potential impact of the breach.
  • Ensure that the Commissioner receives consistent and comparable information about data breaches that pose a risk of significant harm.
  • Ensure that the Commissioner is able to provide effective oversight and verify that organizations are complying.

The regulations require organizations to report, to the privacy Commissioner, any breach of security safeguards involving personal information under its control if it is reasonable to believe the breach creates a real risk of significant harm. The regulations state that such a report must contain the following:

  • a description of the circumstances of the breach and, if known, the cause;
  • the day or the period in which the breach occurred;
  • a description of the personal information that was involved in the breach;
  • an estimate of the number of individuals impacted – were the breach creates a real risk of significant harm;
  • the steps that the organization has taken to reduce the risk of harm to the impacted individuals;
  • the steps that the organization has taken or will take to notify impacted individuals; and
  • the name and contact information of a person who can answer, on behalf of the organization, the Privacy Commissioner’s questions about the breach.

Organizations that experience such a breach will have also have to do the  following:

  • Determining if the breach poses a “real risk of significant harm” to any individual whose personal information was involved in the breach by conducting a risk assessment;
  • Notifying affected individuals if it is determined that there is a real risk of significant harm. How the notification will take place depends on serval factors such as if contact information of the impacted individuals is known, cost, and if the method chosen to deliver such a notification will cause further harm;
  • Issuing notification that contains:
    • a description of the circumstances of the breach;
    • the day or period during which the breach occurred;
    • a description of the personal information that was involved in the breach;
    • the steps that the organization has taken to reduce the risk of harm to the impacted individuals;
    • the steps that the impacted individuals could take to reduce the risk of harm resulting from the breach;
    • a toll-free number or email address that the impacted individuals can use to obtain further information about the breach; 
    • information about the organization’s internal complaint process and about the individual’s right, under PIPEDA and that they can make a complaint with the Privacy Commissioner;
  • Notifying other organizations or government institution if they believe the they may be able to reduce the risk of harm to the impacted individuals.  (i.e. law enforcement agencies). If this is the case, consent of individuals is not required for such disclosures; and
  • Keeping records of any data breach for a minimum of 24 months.

In determining if there is a “real risk of significant harm”, the assessment of risk conducted must consider factors such as the sensitivity of the personal information involved, whether or not the data was encrypted, whether the personal information was misused, if the information has been recovered, etc. The true risk of such factors may not always be known at the time that the risk assessment is first conducted.  One distinction from the draft regulations is that the final regulations also refer to harm “that could result from the breach” rather than harm “resulting from the breach”. This final wording is more practical than that of the language found in the draft, as potential harms will often be speculative at the time the breach is first discovered.

In reporting “as soon as feasible,” the final regulations allow for an organization to submit new information to the Commissioner after the initial report has been submitted. This is a significant improvement over the draft regulations, since organizations often do not have all information at the time a report is required to be submitted.

We’re Here To Help

If you have questions regarding these new requirements or any questions related to privacy legislation in general, please contact us.

PIPEDA’s Security Breach Notification Provisions

Back in September we published an article on Breach of Security Safeguards Regulation. Those requirements will come into force on November 1, 2018, according to an Order in Council issued on March 26, 2018.

The much-anticipated requirements will require organizations to report, to the privacy commissioner and affected individuals, any breach of security safeguards involving personal information under its control if it is reasonable to believe the breach creates a real risk of significant harm.

While the final regulation is not yet available, a draft of the regulation can be found here.

We’re Here To Help

If you have questions regarding how your organization will be impacted by these requirements or any questions related to privacy legislation in general, please contact us.

Breach of Security Safeguards Regulations

Back in June of 2015, the Digital Privacy Act received royal assent, resulting in amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA). Most amendments came into force at that time, except for the much-anticipated requirements related to breach notification. These requirements will come into force once regulations have been developed and put into place, and will affect any organization that collects, uses or discloses personal information in the course of commercial activities.

On September 2, 2017, a draft of those regulations was published in the Canada Gazette. The draft regulations will require organizations to report, to the privacy commissioner, any breach of security safeguards involving personal information under its control if it is reasonable to believe the breach creates a real risk of significant harm. The draft regulations state that such a report would have to contain the following:

  • a description of the circumstances of the breach and, if known, the cause;
  • the day or the period in which the breach occurred;
  • a description of the personal information that was involved in the breach;
  • an estimate of the number of individuals impacted – where the breach creates a real risk of significant harm;
  • the steps that the organization has taken to reduce the risk of harm to the impacted individuals;
  • the steps that the organization has taken or will take to notify impacted individuals; and
  • the name and contact information of a person who can answer, on behalf of the organization, the Privacy Commissioner’s questions about the breach.

Organizations that experience such a breach will also have to do the  following:

  • Determine if the breach poses a “real risk of significant harm” to any individual whose personal information was involved in the breach by conducting a risk assessment;
  • Notify affected individuals if it is determined that there is a real risk of significant harm. How the notification will take place depends on serval factors such as if contact information of the impacted individuals is known, cost, and if the method chosen to deliver such a notification will cause further harm;
  • Issue notification that contains:
    • a description of the circumstances of the breach;
    • the day or period during which the breach occurred;
    • a description of the personal information that was involved in the breach;
    • the steps that the organization has taken to reduce the risk of harm to the impacted individuals;
    • the steps that the impacted individuals could take to reduce the risk of harm resulting from the breach;
    • a toll-free number or email address that the impacted individuals can use to obtain further information about the breach; and
    • information about the organization’s internal complaint process and about the individual’s rights under PIPEDA, and that they can make a complaint with the privacy commissioner;
  • Notify other organizations or government institutions if they believe they may be able to reduce the risk of harm to the impacted individuals (i.e. law enforcement agencies). If this is the case, consent of individuals is not required for such disclosures; and
  • Keep records of any data breach for a minimum of 24 months.

The determination if there is a real risk of significant harm to an individual, and reporting “as soon as feasible” requirements, are likely to be the most challenging for organizations.

In determining if there is a “real risk of significant harm”, the assessment of risk conducted must consider factors such as the sensitivity of the personal information involved, whether or not the data was data encrypted, whether the personal information could be misused, if the information has been recovered, etc. The true risk of such factors may not always be known at the time that the risk assessment is first conducted. If not known, it may be best to use a worst case scenario in the assessment.

In reporting “as soon as feasible” after an organization determines that the breach has occurred, to both the Privacy Commissioner and impacted individuals, organizations may be hesitant to provide specific information. Reasons why organizations may be hesitant may include, details and information may change as further investigating of the breach is conducted, or for fear of litigation risk down the road. Additionally, there is reputational risk that organizations will be concerned about. When notifying the Privacy Commissioner, organizations may want to state that the investigation is ongoing and that updates will be provided in a timely manner. When notifying impacted individuals, organizations should ensure that all required information is contained in the notification. It is best to be transparent and truthful in such notifications, as not doing so may cause even greater litigation and reputational risk.

Regulatory Impact Analysis and Regulations

The draft regulations are open for a comment period, to read full details of the draft and the accompanying regulatory impact analysis statement please visit the Canada Gazette.

We’re Here To Help

If you have questions regarding this or any questions related to privacy legislation in general, please contact us.

Return to Blog Listing


PROCESSING...