On November 1st, the new Breach of Security Safeguards Regulations (the “Breach Regulations“) under the Personal Information and Protection and Electronic Documents Act (“PIPEDA“) came into force. See the link to the Breach Regulations here.
Under the Breach Regulations, both small and large organizations now have an obligation to:
- Report breaches of security safeguards involving personal information to the Office of the Privacy Commissioner (the “OPC“) where there is a real risk of significant harm.
- Notify affected individuals and notify appropriate government organizations.
- Keep a record of every breach of security safeguards.
The OPC has published guidance related to the Breach Regulations, titled “What you need to know about mandatory reporting of breaches of security safeguards”. See the link here.
Reporting A Breach of Security Safeguards
PIPEDA defines a “breach of security safeguards” as “the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organizations security safeguards that are referred to in clause 4.7 of Schedule 1 [of PIPEDA] or from a failure to establish those safeguards”. The definition contemplates that even the loss of a USB key or a laptop would constitute a “breach of security safeguards”.
The reporting obligations do not require that an organization report all breaches to the OPC. The reporting obligations apply where the breach involves personal information that is under organization’s control, and when it is reasonable to believe that the breach creates a “real risk of significant harm”.
Determining whether there is a “real risk of significant harm” requires, among other things, an analysis of the sensitivity of the personal information involved and the probability that the personal information will be misused. According to the OPC, “significant harm” includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property. Neither PIPEDA nor the new Breach Regulations define “sensitivity”. However, Principal 4.3.4 of PIPEDA provides the names and addresses of subscribers to some special-interest magazines as an example of personal information that would likely be considered sensitive.
Under the Breach Regulations, an organization is also responsible for reporting a breach of security safeguards where there is a real risk of significant harm by a third-party service provider. The OPC expects that, in such an event, both the service provider and the organization will submit reports to the OPC.
Organizations may report certain information to the extent that it is available at the time of reporting and an organization may update the report at a later date.
Notifying Affected Individuals and Organizations
The Breach Regulations require that organizations notify affected individuals as soon as feasible in the event of a breach where there is a real risk of significant harm, and that organizations notify affected individuals directly. Depending on the sensitivity of the personal information and the real risk of significant harm, the organization may need to, in some cases, notify affected individuals prior to submitting its report to the OPC.
The Breach Regulations provide that the notification to affected individuals must include information sufficient to allow the affected individuals to understand the significance of the breach and to take any available steps to reduce the risk of harm that may result from the breach.
The Breach Regulations further provide that there are limited circumstances where direct notification may not be required, and an organization may provide indirect notification. Indirect notification may be given in circumstances where direct notification may cause further harm to the individuals, direct notification would cause undue hardship for the organization, or the organization does not have contact information for the affected individual.
In addition to the requirement to notify affected individuals, organizations are required to notify any other government organizations or institutions that the organization believes may be able to reduce the risk of harm to individuals.
Record Keeping
Although the reporting requirements under the Breach Regulations apply to breaches where there is a real risk of significant harm, the record keeping requirements apply to every breach, regardless of the risk of harm. Records of breaches must contain enough information to allow the OPC to confirm compliance with the Breach Regulations and PIPEDA, including an explanation of why, in cases where a breach was not reported, the breach was determined not to pose a real risk of significant harm. Breach records must be kept for two years, or longer as may be required in accordance with applicable law or related internal record-keeping requirements.