On Sept. 1, 2017, the Canadian government published proposed regulations relating to the mandatory reporting of privacy breaches under Canada’s federal data protection law, the Personal Information Protection and Electronic Documents Act (PIPEDA).
While the regulations put forth by the government are simply proposed rules, they do provide an indication of what will likely be included in the final regulations. The regulations are expected to be finalized in the coming months. This Compliance Bulletin examines the proposed data breach regulations and the potential implications for organizations subject to PIPEDA.
Reports to the Commissioner: Content, Form and Manner
According to the draft regulation, a report to the Commissioner must be made in writing and contain the following information:
- A description of the circumstances of the breach and, if known, the cause;
- The day on which, or the period during which, the breach occurred;
- A description of the personal information that is the subject of the breach;
- An estimate of the number of individuals in respect of whom the breach creates a real risk of significant harm;
- A description of the steps that the organization has taken to reduce the risk of harm to each affected individual resulting from the breach or to mitigate that harm;
- A description of the steps that the organization has taken or intends to take to notify each affected individual of the breach; and
- The name and contact information of a person who can answer, on behalf of the organization, the Commissioner’s questions about the breach.
Under the proposed regulations, data breach reports can be submitted with the best information available to the organization at the time. This allows organizations to report breaches quickly and take the appropriate actions, even when key information regarding the incident is not yet available.
Requirements for Notifying Affected Individuals of a Data Breach
Under PIPEDA, notification to an affected individual must contain sufficient information to allow the individual to understand the significance of the breach and to take steps, if possible, to reduce or mitigate the risk of harm that could result. According to the draft regulations, a notification to an affected individual, at a minimum, must contain:
- A description of the circumstances of the breach;
- The day or time frame the breach occurred;
- Descriptions of the type of personal information that was compromised during the breach;
- A description of the steps that the organization has taken to reduce the risk of harm to the affected individual resulting from the breach or to mitigate that harm;
- A description of the steps that the affected individual could take to reduce the risk of harm resulting from the breach or to mitigate that harm;
- A toll-free number or email address impacted individuals can use to obtain further information regarding the breach; and
- Information about the organization’s internal complaint process and about the affected individual’s right, under the PIPEDA, to file a complaint with the Commissioner.
Notifications must be given directly to impacted individuals through an email, letter (delivered to the last known home address of the affected individual), telephone call, in-person conversation or other secure forms of communication if the affected individual consented to receive information from the organization in that manner.
Under limited circumstances, organizations will be allowed to provide affected individuals with indirect notification of a data breach. According to the draft regulations, organizations will be able to provide indirect notification only if:
- A direct notification would cause further harm to the affected individual;
- The cost of giving a direct notification is prohibitive for the organization; or
- The organization does not have contact information for the affected individual or the information that it has is out of date.
The draft regulations indicate that indirect notification may be given only by either a conspicuous message, posted on the organization's website for at least 90 days, or by means of an advertisement that is likely to reach the affected individuals.
Once in force, the data breach provisions of PIPEDA and the regulations will require organizations to maintain a record of EVERY breach of security safeguards. The draft regulations state that organizations must maintain these records for a minimum of 24 months after the day on which the organization determines that the breach has occurred, and provide them to the Commissioner upon request. The record must contain sufficient information to enable the Commissioner to verify compliance with the data breach reporting and notification requirements above.
While the regulations are not finalized and an enforcement date has not yet been announced, organizations should take the proper steps to ensure they are PIPEDA compliant. While the new reporting and record-keeping requirements appear to place an administrate burden on organizations, companies that already have cyber security protocols in place will likely experience minimal impact.
To learn more about the regulations, you can read a detailed impact analysis statement and the regulation’s text through the Canada Gazette. Scrivens will continue to monitor legislative changes and provide updates as necessary.