In 2015, the federal government amended the Personal Information Protection and Electronic Documents Act (PIPEDA) to include a requirement to report certain serious breaches of personal information.1 That amendment did not come into force while the government was drafting regulations to detail the reporting obligations of organizations subject to PIPEDA. A draft regulation published on September 2 provides direction on the reporting, notification and record-keeping requirements of the new breach reporting regime.2 The government has announced a 30-day comment period on the proposed regulations.
What You Need To Know
- PIPEDA requires organizations to (1) report to the Office of the Privacy Commissioner of Canada (OPC), and (2) notify affected individuals of breaches of security safeguards involving personal information where the breach creates a real risk of significant harm to individuals.
- The proposed regulations set out the required content of both the report to the OPC and the notice to individuals, the elements of which will be familiar to organizations that have voluntarily reported serious breaches in the past, as they largely mirror the questions the OPC asks about most incidents.
- The report to the OPC must be in writing and must include the following things: a description of the circumstances and causes (if known) of the breach; the date of the breach; the personal information affected; the number of individuals at real risk of significant harm; a description of the steps the organization has taken to reduce the risk of harm to individuals; the steps taken to notify affected individuals; and a contact person for the organization.
- The notice to individuals, which may be oral or written, must include: a description of the circumstances of the breach; the date of the breach; the personal information affected; a description of the steps the organization has taken to reduce the risk of harm to individuals and the steps the individual can take to further mitigate the risk of harm; a toll-free telephone number or email address for further information; and information about the organization's complaint process and the individual's right to file a complaint with the OPC. Notice to individuals must be delivered directly by email, letter, telephone or in person. In some cases it can be delivered indirectly through advertisements or posting on the organization's website.
- The proposed federal regulations differ in form, but not substance, from the breach reporting requirements in Alberta, which is the only Canadian jurisdiction that already has mandatory, private-sector privacy breach reporting. Under the Alberta legislation, an organization must report the loss or unauthorized access to or disclosure of personal information to the provincial Information and Privacy Commissioner where the breach creates a real risk of significant harm to an individual. The Alberta Commissioner may, and almost always does, then require the organization to notify affected individuals. The proposed PIPEDA regulations assume that where the reporting threshold is met, organizations will notify individuals before reporting to the OPC.
- The draft regulations do not add much clarity to the record-keeping requirements added to PIPEDA, other than to require records of every breach of security safeguards be kept for two years after the date the breach is discovered. Those records should contain sufficient information to allow the OPC to determine whether the organization complied with the reporting and notification requirements, i.e., whether the breach posed a real risk of significant harm to an individual.
- Once the regulations are finalized, a deferred coming-into-force date will be fixed by the government. Organizations engaged in commercial activity in Canada should use this time to review and update internal breach response protocols, record retention procedures and personal information handling and complaint policies. This review should include: establishing mechanisms for determining whether a privacy breach meets the reporting and notification threshold; designating the breach response team, including internal stakeholders and external advisors and service providers; designing templates for reports to the OPC and notices to customers, employees and other individuals; and confirming organizational record retention procedures comply with the new PIPEDA requirements without retaining unnecessary information.
- The government has suggested additional guidance will be developed by the OPC with respect to the content and format of breach notifications. We will keep you updated on any developments.
To discuss these issues, please contact the author(s).
This publication is a general discussion of certain legal and related developments and should not be relied upon as legal advice. If you require legal advice, we would be pleased to discuss the issues in this publication with you, in the context of your particular circumstances.
For permission to republish this or any other publication, contact Janelle Weed.
© 2021 by Torys LLP.
All rights reserved.