PIPEDA: What You Need to Know

PIPEDA - What you need to know

On November 1, 2018, new regulations will come into force that will require all organizations to report breaches of security safeguards that pose a real risk of significant harm to individuals to the Privacy Commissioner and any individuals affected.

It will also require organizations to keep records (for a minimum period of 24 months) of all security safeguard breaches, regardless of whether they pose a real risk of significant harm or if they were reported to the Privacy Commissioner or individuals affected.

These new data breach notification rules are required under the Digital Privacy Act, 2015, which amended the Personal Information Protection and Electronic Documents Act (PIPEDA).

This guide serves to inform all organizations on the new requirements, including reporting and storing requirements.

However, every organization is unique, and any information provided in this guide must be considered in the context of your individual situation. This guide, including attachments and links, is not intended as legal advice. You should consult your individual legal advisors when considering these contents and when setting up your own systems of monitoring, reporting, and keeping records of security safeguard breaches.

WHAT DOES THIS MEAN?

A security safeguard includes a variety of measures taken to securely keep personal or sensitive information. This includes physical measures (e.g., locked filing cabinets and restricted access to offices), organizational measures (e.g., security clearances and limiting access on a “need-to-know” basis), and technological measures (e.g., the use of passwords and encryption).

If any of these security safeguards have been discovered to be breached (e.g., lost, stolen, accessed or disclosed without authorization, etc.), then you must keep a record of it for a minimum period of 24 months. If this breach also involves a real risk of significant harm to affected individuals, then you must also report the breach to the Privacy Commissioner and to said individuals.

HOW DOES THIS AFFECT ME?

Organizations must ensure that they have security safeguard measures in place regarding personal and sensitive information of third parties. As identified above, this can include a variety of measures that best suit each business and its needs.

DO I HAVE TO REPORT ALL BREACHES OF SECURITY SAFEGUARDS?

No. The law requires that you report any breach involving personal information under your control if it is reasonable in the circumstances to believe that the breach creates a “real risk of significant harm” to an individual.

Whether a breach affects one person or a 1,000, it will still need to be reported if your assessment indicates there is a “real risk of significant harm” resulting from the breach.

Though you do not need to report all breaches, you must keep a record of all breaches for a minimum period of 24 months.

Significant harm includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.

The real risk of significant harm must be determined based on an assessment of the sensitivity of the personal information involved in the breach and the probability the personal information has been/is/will be misused.

The Privacy Commissioner’s office has a guide that helps organizations assess whether the real risk of significant harm exists with a corresponding security breach (see “Resources” section at the end of this guide).

Note that the new regulations also stipulate that failing to establish security safeguards in the first place also qualifies as a breach of security safeguard.

WHAT RECORDS AM I REQUIRED TO KEEP?

You are required to keep records of all breaches of personal information under your control – whether there is a real risk of significant harm or not – for a minimum period of 24 months from the date a breach has been determined to have occurred (e.g., the day you discovered the breach).

Records must contain any information that enables the Privacy Commissioner to verify compliance.

Records need not include personal details unless necessary to explain the nature and sensitivity of the information.

At minimum, a record should include:

  • date or estimated date of the breach;
  • general description of the circumstances of the breach;
  • nature of the information involved in the breach;
  • whether or not the breach was reported to the Privacy Commissioner of
  • Canada/individuals were notified; and
  • if the breach was not reported to the Privacy Commissioner/individuals, a brief
  • explanation of why the breach was determined not to pose a “real risk of
  • significant harm.”

The Office of the Privacy Commissioner has an online form that you can fill out to submit your report (see “Resources” section below for a link to the form)

Note that you are required to report qualifying breaches as soon as you have determined a breach involving a real risk of significant harm has occurred.

This means that you do not have to have all the information identified (e.g., the exact date of the breach), and you are always able to send new information as you become aware of it.

HOW DO I REPORT A BREACH THAT POSES REAL RISK OF SIGNIFICANT HARM TO THE PRIVACY COMMISSIONER?

The Office of the Privacy Commissioner has an online form that you can fill out to submit your report (see ‘Resources” section below for a link to the form)

Note that you are required to report qualifying breaches as soon as you have determined a breach involving a real risk of significant harm has occurred.

This means that you do not have to have all the information identified (e.g., the exact date of the breach), and you are always able to send new information as you become aware of It.

HOW DO I REPORT A BREACH THAT POSES REAL RISK OF SIGNIFICANT HARM TO A­FFECTED INDIVIDUALS?

Unless otherwise prohibited by law, anytime you determine that a breach poses a real risk of significant harm to an individual, you must notify the individual(s) concerned. The notification must be conspicuous and must be given directly to the individual, except in certain circumstances where indirect notification is permitted (see below for circumstances permitting indirect notification).

The law requires that notification to individuals must be given as soon as feasible after you have determined a breach involving a real risk of significant harm has occurred.

Direct notification is when you notify an individual in person, by telephone, mail, email or any other form of communication that a reasonable person would consider appropriate in the circumstances.

WHAT IS DIRECT NOTIFICATION?

Direct notification is when you notify an individual in person, by telephone, mail, email or any other form of communication that a reasonable person would consider appropriate in the circumstances.

WHAT DO I HAVE TO INCLUDE IN DIRECT NOTIFICATIONS TO INDIVIDUALS?

The notification must include enough information to allow the individual to understand the significance of the breach to them and to take steps, if any are possible, to reduce the risk of harm that could result from the breach or mitigate the harm.

As well, it should not be overly legalistic, and it should be easily understood.

The notification must include the following information:

  • a description of the circumstances of the breach;
  • the day on which, or period during which, the breach occurred or, if neither is
  • known, the approximate period;
  • a description of the personal information that is the subject of the breach to the
  • extent that the information is known;
  • a description of the steps that the organization has taken to reduce the risk of
  • the harm that could result from the breach;
  • a description of the steps that affected individuals could take to reduce the risk
  • of harm that could result from the breach or to mitigate that harm; and
  • contact information that the affected individual can use to obtain further
  • information about the breach.

WHEN CAN I INDIRECTLY NOTIFY INDIVIDUALS?

There are limited times when you can indirectly notify people. These are when:

  • direct notification would be likely to cause further harm to the affected individual;
  • direct notification would be likely to cause undue hardship for the organization; or
  • the organization does not have contact information for the affected individual.

WHAT ARE EXAMPLES OF INDIRECT NOTIFICATION?

Indirect notification must be given by public communication or similar measure that could reasonably be expected to reach the affected individuals.

This can include public announcements, such as advertisements in online or offline newspapers.

You should use a method that is likely to reach affected individuals. For example, a mention in a corporate blog may not have the reach of a prominent and dedicated public announcement campaign.

For indirect breach notifications, you should employ those measures you would for other public announcements. For example, consider how to incorporate media messaging, including a prominent notice made on your website, or other online/digital presence.

DO I HAVE TO NOTIFY ANY OTHER ORGANIZATIONS?

When you notify an individual of a breach involving a real risk of significant harm, you must also notify any other government institutions or organizations that you believe can reduce the risk of harm that could result from the breach or mitigate the harm.

Examples include notifying law enforcement if illegal activity is involved (theft, hackers, etc.), notifying all those who process your payments (payment processors, acquiring bank, etc.) if the breach affects individuals’ payment card information, etc. Note that this list is not extensive.

WHAT HAPPENS IF I KNOWINGLY FAIL TO COMPLY WITH THESE NEW REGULATIONS?

The Privacy Commissioner will refer information relating to a possible commission of offense to the Attorney General of Canada who will be ultimately responsible for any prosecution that may result in:

  1. an offense punishable on summary conviction and liable to a fine not exceeding $10,000; or
  2. an indictable offense and liable to a fine not exceeding $100,000.

Repurposed with thanks from the Insurance Brokers Association of Canada.

RESOURCES:

Detailed Guide from the Office of the Privacy Commissioner: What you need to know about mandatory reporting of breaches of security safeguards

How to assess whether a breach poses a real risk of significant harm

Online form to report breaches of security safeguards that pose a real risk of significant harm