On September 2, 2017, the Government of Canada published proposed new data breach regulations in the Canada Gazette.
These regulations set out specifics regarding the mandatory data breach reporting requirements under the Personal Information Protection and Electronic Documents Act.
The PIPEDA Amendments were passed in June, 2015 but are not yet in force.
The Regulations set out the proposed requirements for the reporting of data breaches of security safeguards (each, a Breach). Under the PIPEDA Amendments, a report to the Privacy Commissioner of Canada is required if it is reasonable in the circumstances to believe that the Breach poses a “real risk of significant harm” to any individual.
The Regulations include specifics of:
- the contents of a Breach report addressed to the Commissioner;
- the contents of a notice to an individual affected by a Breach;
- how notices must be provided; and
- record-keeping requirements.
Alberta is currently the only Canadian jurisdiction in which data breach reporting is mandatory. The “real risk of significant harm” threshold in the PIPEDA Amendments and the reporting requirements under the Regulations are substantially similar to the requirements under Alberta’s private sector privacy legislation, the Personal Information Protection Act (AlbertaPIPA). The practice and experience in Alberta may therefore be considered when interpreting the new federal requirements.
Notices of a data breach to the Commissioner
A report of a Breach made to the Commissioner must be in writing and must contain the specific content set out in the Regulations.
There are no surprises in connection with the required content for a report of a data breach to the Commissioner, which mirrors the current form provided by the Commissioner for voluntary reporting and is similar to the requirements of the Alberta PIPA.
The Office of the Information and Privacy Commissioner of Alberta currently publishes data breach notification decisions where a real risk of significant harm was identified and notification to affected individuals was required. These decisions include the name of the organization that suffered the data breach and include the Alberta OIPC’s analysis of harm to individuals. It remains to be seen whether the Commissioner will adopt this practice. If it does, organizations should be prepared for a Breach to be made public when it is reported to the Commissioner.
Notices to affected individuals
Under the PIPEDA Amendments, organizations must notify an individual affected by a Breach when it is reasonable to believe that the Breach creates a real risk of significant harm to the individual.
Most of the content of these required notices mirrors the requirements under the Alberta PIPA for mandatory data breach reporting and the Commissioner for voluntary notification to individuals with some additions. In particular, there is a proposed requirement to include a description of the steps that the individual could take to reduce the risk of harm.
The Regulations set out the manner of providing direct notification to individuals. Notification by “email or another secure form of communication” appears to be permitted only if the affected individual has consented to receiving information from the organization in that manner. As drafted, it is not entirely clear if consent would be needed for email notice or just for notice sent by “any other secure form of communication.” Paper (delivered or sent by “snail mail”), telephone and in-person notices may be used without consent. In our view, the consent requirement should be eliminated in favour of allowing notification by electronic means where such means have been used previously by the organization to communicate with the individuals. Furthermore, a preference for personal over electronic communication is outdated.
The Regulations also set out the circumstances when notification to affected individuals may be given indirectly, which include when the cost of giving direct notification is prohibitive to the organization. This may be welcomed by businesses in some circumstances, especially by smaller and mid-sized businesses involved in Breaches that affect many individuals. However, in order to provide indirect notice, an organization would have to publish information about the Breach conspicuously on its website or publish an advertisement that is likely to reach the affected individuals.
Record-keeping requirements for data breaches
The Regulations require organizations to maintain a record of every Breach for 24 months after the date of determination that it has occurred. This record-keeping requirement has been criticized as being overly broad in that it requires record-keeping in respect of all Breaches, including those that that do not involve a “risk of significant harm” to individuals and would not be required to be reported to the Commissioner.
These records must include information that enables the Commissioner to verify compliance with the reporting and notification requirements under PIPEDA. Where a report to the Commissioner has been made, such report may be used as a record to satisfy the record-keeping requirement.
Members of the public may make representations regarding the Regulations until October 2, 2017.1
It is expected that once the final version of the Regulations is published, there will be a transition period before the PIPEDA Amendments are introduced and also prior to the Regulations being brought into force. The government did not indicate the duration of the transition period, although the regulatory impact statement notes that stakeholders proposed transition periods ranging from six to eighteen months. As there was a previous consultation on this topic in 2016, the PIPEDA Amendments and the Regulations may be finalized relatively quickly. Organizations should therefore be prepared to update their data breach response plans to address the requirements of the PIPEDA Amendments and the Regulations once they are finalized.
1 We note that there was a consultation last year on what should be included under the Regulations (before any draft of the Regulations had been published). Some of the responses to that consultation were apparently considered in the drafting of the Regulations.