News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Tracker Privacy Tracker

Alerts and legal analysis of legislative trends

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Member Directory Privacy List Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 Member Directory

Locate and network with fellow privacy professionals using this peer-to-peer directory.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 GDPR Training

Learn the legal, operational and compliance requirements of the EU regulation and its global influence.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 CIPP/E + CIPM = GDPR Ready CIPP/E + CIPM = GDPR Ready

The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for GDPR readiness. Learn more today.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
Privacy and AI Governance Report

This report explores the state of AI governance in organizations and its overlap with privacy management.

2023 IAPP Privacy Professionals Salary Survey

This report explores the compensation, both financial and nonfinancial, offered to privacy professionals.
Privacy and Consumer Trust Report

This report shines a light on what consumers around the globe think about privacy and the companies that collect, hold and use their data.
IAPP-EY Annual Governance Report 2022

This year’s governance report goes back to the foundations of governance, exploring “the way that organizations are managed, and the systems for doing this."
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
International Data Transfers

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources related to international data transfers.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Vendor Marketplace

Use the Vendor Demo Center, Privacy Vendor List and Privacy Tech Vendor Report to easily identify privacy products and services to support your work.
Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the country’s privacy field deliver insights, discuss trends, offer predictions and share best practices.

Data Protection Intensive: Nederland Data Protection Intensive: Nederland

Hear expert speakers address the latest developments in data protection globally and in the Netherlands.

 Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Data Protection Intensive: Deutschland Data Protection Intensive: Deutschland

Join top experts for practical discussions of issues and solutions for data protection in the DACH region.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. 2023 is the place for speakers, workshops and networking focused on the intersection of privacy and technology.

Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts predict the evolving landscape and give insights into best practices for your privacy operation.

Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Tracker | Canada stays close to home in new data breach regulations Related reading: A view from DC: Sectoral privacy updates spread with strengthened student standards

rss_feed

""

""

The Ministry of Innovation, Science and Economic Development Canada published the draft “Breach of Security Safeguards Regulations” in the Canada Gazette Sept. 2. The draft federal regulations will remain open for comment for a period of 30 days.

ISED stayed close to home in developing the proposed regulations, notwithstanding all the talk of Canada’s need to harmonize its laws to meet international standards, including, or perhaps especially, the European Union’s General Data Protection Regulation. Privacy professionals who are familiar with the Alberta breach regulations will find a great deal of similarity, although the draft federal regulations do provide additional clarity on certain points, such as the manner of notification.

Disappointingly, ISED failed to provide a safe harbor for effective encryption or any other guidance on what might constitute a “real risk of significant harm.” This leaves open the very strong likelihood that Canadian organizations will continue to be stuck trying to “prove a negative” when the commissioners assert that even unauthorized access to basic information could result in a “real risk of significant harm” to an individual. The usual position of the commissioners is that the individual could become a victim of phishing or identity theft even if no sensitive data is in issue. Although entirely speculative, it is not something that is capable (or often even worthwhile) for an organization to seek to disprove. Maddeningly, the Office of the Privacy Commissioner of Canada does not even accept that the harm from the loss of properly encrypted data is speculative — notwithstanding that this is the position in the EU under Article 34 of the GDPR, which is frequently held out as the model!

Reports to the OPC

For the most part, ISED opted to harmonize the reporting requirements under the Personal Information Protection and Electronic Documents Act with those required in the Alberta Regulations passed pursuant to the Alberta Personal Information Protection Act. In both cases, organizations will be required to report (in writing):

  • the circumstances of the breach (the draft federal regulations, also require organizations to report the cause of the breach, if known);
  • the date of the breach or the duration of the breach;
  • a description of the personal information affected;
  • an estimate of the number of affected individuals;
  • a description of the steps taken to reduce the risk of harm;
  • a description of any steps taken to notify the affected individuals; and
  • contact information for a person who can answer questions about the breach on behalf of the organization.

However, unlike the Alberta regulations, the draft federal regulations do not require the organization to include an assessment of the risk of harm to individuals. ISED wisely conceded to industry concerns that “this type of information is speculative and hypothetical.” Unlike the Alberta regime in which the Alberta Information and Privacy Commissioner is required to make an assessment of whether there is a real risk of significant harm and, therefore, whether individual notification is required, the OPC has no role to play in making an assessment of the risk of harm. Therefore, a speculative assessment of risk of harm is superfluous to any report to the OPC.

The organization is only required to make a report to the OPC if the organization has concluded that there is a “real risk of significant harm” as a result of the breach of security safeguards. Therefore, the fact of a report to the OPC is sufficient to suggest that the organization believes that the test has been met. If the organization has decided to report voluntarily, then whether the test has been met is irrelevant (as an aside, any organization thinking of making a report to the OPC but not notifying individuals should seek legal advice before embarking on such a strategy).

Individual notification

ISED opted against innovation when dealing with notification of individuals. Although ISED cites the importance of international harmonization, including with the GDPR, ISED chose to make Canada’s law more stringent, thereby increasing the compliance costs to Canadian organizations compared to those under the GDPR and many U.S. state breach notification laws. For example, under Article 34 of the GDPR, the threshold for notifying individuals is higher than that for reporting to the data protection authorities. The breach must be likely to result in a high risk to the rights and freedoms of individuals before direct notification is required. In the United States, many state breach laws only apply if certain types of sensitive information are subject to loss or unauthorized access.

By contrast, ISED opted against allowing organizations to provide general indirect notification of breaches involving data that might meet a test of something more than a mere possibility of significant harm but much less than a probability or high likelihood of significant harm. Had the ISED adopted such an approach, it would have brought the operational requirements for organizations closer to that of the GDPR. Instead, ISED has virtually copied the Alberta requirements. The default will be direct notification, which must include:

  • a description of the circumstances of the breach (but not necessarily its cause even if known);
  • the date of the breach or the duration of the breach;
  • a description of the personal information affected;
  • a description of the steps taken to reduce the risk of harm; and
  • contact information for a person who can answer questions about the breach.

However, unlike the Alberta regulations, the draft federal regulations also require the organization to include:

  • a toll-free number or an email address where the individual can ask questions or obtain more information;
  • information about the organization’s internal complaint process; and
  • information about the individual’s right to complain to the OPC.

Manner of notification

Where ISED has pushed further than the Alberta regulations is with respect to specifying how organizations are to notify individuals. When making direct notification, an organization may provide the notice:

  • by email or other secure form of communication to which the individual has consented to receive communications from the organization;
  • by letter to the last known address;
  • by telephone; or
  • in person.

The draft federal regulations provide that indirect notification can be made if direct notification would cause harm to the individual, the cost of direct notification would be prohibitive to the organization, or the organization does not have current contact information.

Importantly, ISED provided that indirect notification could be conveyed through either a conspicuous message posted on the organization’s website for at least 90 days or by means of an advertisement that is likely to reach affected individuals. This will provide welcome flexibility in cases of where indirect notification is the sensible approach.

Record-keeping

ISED appears to have heard the concerns raised by organizations regarding the data breach record-keeping requirements. Instead of creating potentially onerous record-keeping requirements, ISED has opted to allow organizations to determine the form and content of those records, provided that the information enables the OPC to verify compliance with the requirement to report breaches to the OPC and to notify individuals where there is a real risk of significant harm to the affected individual because of the breach.

The draft federal regulations specifically state that a record of a report to the OPC of a breach could be used to fulfill the record-keeping requirements. Inferentially, therefore, this means that the information contained in the report to the OPC (discussed above) should be sufficient to fulfill the record-keeping requirements. Since the report to the OPC does not require the organization to describe its analysis of the risk of harm, this seems to imply that the records to be kept by an organization do not require that information either. If so, this is welcome news. Finally, the draft federal regulations appear to only require records to be kept for two years.

Next steps

The draft federal regulations will undergo a 30-day comment period. ISED may then either amend the draft federal regulations or register them and they will be published in the Canada Gazette. It appears that there will be an unspecified period before the federal regulations coming into force to permit organizations to implement the new requirements.

photo credit: Ian Muttoo Happy Canada Day! via photopin (license)

Author
Headshot Timothy Banks IAPP Member Contributor
Tags
Canada
Data Loss
Privacy Law
Comments

If you want to comment on this post, you need to login.

Related Stories
ANPD clarifies children's data processing under LGPD
Brazil's data protection authority, the Autoridade Nacional de Proteção de Dados, published a statement to standardize the General Data Protection Law's interpretation of processing data of children and teens. It notes data processing can be conducted "based on the legal hypotheses provided for in t...
Read More queue Save This
A view from DC: The week of education privacy
IAPP Managing Director, Washington, D.C., Cobun Zweifel-Keegan, CIPP/US, CIPM, offers his take on the latest privacy developments in the nation's capital and around the U.S., including the the status of potential federal privacy legislation and several education privacy initiatives from the U.S. Fed...
Read More queue Save This
Related Stories
Tags
Canada
Data Loss
Privacy Law
Recent Comments