TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Tracker | Canada stays close to home in new data breach regulations Related reading: Roundup: Singapore, Australia, US and more

rss_feed
S18_Web_300x250-COPY
iapp-privacycore
PrivacyTraining_ad300x250.Promo1-01

The Ministry of Innovation, Science and Economic Development Canada published the draft “Breach of Security Safeguards Regulations” in the Canada Gazette Sept. 2. The draft federal regulations will remain open for comment for a period of 30 days.

ISED stayed close to home in developing the proposed regulations, notwithstanding all the talk of Canada’s need to harmonize its laws to meet international standards, including, or perhaps especially, the European Union’s General Data Protection Regulation. Privacy professionals who are familiar with the Alberta breach regulations will find a great deal of similarity, although the draft federal regulations do provide additional clarity on certain points, such as the manner of notification.

Disappointingly, ISED failed to provide a safe harbor for effective encryption or any other guidance on what might constitute a “real risk of significant harm.” This leaves open the very strong likelihood that Canadian organizations will continue to be stuck trying to “prove a negative” when the commissioners assert that even unauthorized access to basic information could result in a “real risk of significant harm” to an individual. The usual position of the commissioners is that the individual could become a victim of phishing or identity theft even if no sensitive data is in issue. Although entirely speculative, it is not something that is capable (or often even worthwhile) for an organization to seek to disprove. Maddeningly, the Office of the Privacy Commissioner of Canada does not even accept that the harm from the loss of properly encrypted data is speculative — notwithstanding that this is the position in the EU under Article 34 of the GDPR, which is frequently held out as the model!

Reports to the OPC

For the most part, ISED opted to harmonize the reporting requirements under the Personal Information Protection and Electronic Documents Act with those required in the Alberta Regulations passed pursuant to the Alberta Personal Information Protection Act. In both cases, organizations will be required to report (in writing):

  • the circumstances of the breach (the draft federal regulations, also require organizations to report the cause of the breach, if known);
  • the date of the breach or the duration of the breach;
  • a description of the personal information affected;
  • an estimate of the number of affected individuals;
  • a description of the steps taken to reduce the risk of harm;
  • a description of any steps taken to notify the affected individuals; and
  • contact information for a person who can answer questions about the breach on behalf of the organization.

However, unlike the Alberta regulations, the draft federal regulations do not require the organization to include an assessment of the risk of harm to individuals. ISED wisely conceded to industry concerns that “this type of information is speculative and hypothetical.” Unlike the Alberta regime in which the Alberta Information and Privacy Commissioner is required to make an assessment of whether there is a real risk of significant harm and, therefore, whether individual notification is required, the OPC has no role to play in making an assessment of the risk of harm. Therefore, a speculative assessment of risk of harm is superfluous to any report to the OPC.

The organization is only required to make a report to the OPC if the organization has concluded that there is a “real risk of significant harm” as a result of the breach of security safeguards. Therefore, the fact of a report to the OPC is sufficient to suggest that the organization believes that the test has been met. If the organization has decided to report voluntarily, then whether the test has been met is irrelevant (as an aside, any organization thinking of making a report to the OPC but not notifying individuals should seek legal advice before embarking on such a strategy).

Individual notification

ISED opted against innovation when dealing with notification of individuals. Although ISED cites the importance of international harmonization, including with the GDPR, ISED chose to make Canada’s law more stringent, thereby increasing the compliance costs to Canadian organizations compared to those under the GDPR and many U.S. state breach notification laws. For example, under Article 34 of the GDPR, the threshold for notifying individuals is higher than that for reporting to the data protection authorities. The breach must be likely to result in a high risk to the rights and freedoms of individuals before direct notification is required. In the United States, many state breach laws only apply if certain types of sensitive information are subject to loss or unauthorized access.

By contrast, ISED opted against allowing organizations to provide general indirect notification of breaches involving data that might meet a test of something more than a mere possibility of significant harm but much less than a probability or high likelihood of significant harm. Had the ISED adopted such an approach, it would have brought the operational requirements for organizations closer to that of the GDPR. Instead, ISED has virtually copied the Alberta requirements. The default will be direct notification, which must include:

  • a description of the circumstances of the breach (but not necessarily its cause even if known);
  • the date of the breach or the duration of the breach;
  • a description of the personal information affected;
  • a description of the steps taken to reduce the risk of harm; and
  • contact information for a person who can answer questions about the breach.

However, unlike the Alberta regulations, the draft federal regulations also require the organization to include:

  • a toll-free number or an email address where the individual can ask questions or obtain more information;
  • information about the organization’s internal complaint process; and
  • information about the individual’s right to complain to the OPC.

Manner of notification

Where ISED has pushed further than the Alberta regulations is with respect to specifying how organizations are to notify individuals. When making direct notification, an organization may provide the notice:

  • by email or other secure form of communication to which the individual has consented to receive communications from the organization;
  • by letter to the last known address;
  • by telephone; or
  • in person.

The draft federal regulations provide that indirect notification can be made if direct notification would cause harm to the individual, the cost of direct notification would be prohibitive to the organization, or the organization does not have current contact information.

Importantly, ISED provided that indirect notification could be conveyed through either a conspicuous message posted on the organization’s website for at least 90 days or by means of an advertisement that is likely to reach affected individuals. This will provide welcome flexibility in cases of where indirect notification is the sensible approach.

Record-keeping

ISED appears to have heard the concerns raised by organizations regarding the data breach record-keeping requirements. Instead of creating potentially onerous record-keeping requirements, ISED has opted to allow organizations to determine the form and content of those records, provided that the information enables the OPC to verify compliance with the requirement to report breaches to the OPC and to notify individuals where there is a real risk of significant harm to the affected individual because of the breach.

The draft federal regulations specifically state that a record of a report to the OPC of a breach could be used to fulfill the record-keeping requirements. Inferentially, therefore, this means that the information contained in the report to the OPC (discussed above) should be sufficient to fulfill the record-keeping requirements. Since the report to the OPC does not require the organization to describe its analysis of the risk of harm, this seems to imply that the records to be kept by an organization do not require that information either. If so, this is welcome news. Finally, the draft federal regulations appear to only require records to be kept for two years.

Next steps

The draft federal regulations will undergo a 30-day comment period. ISED may then either amend the draft federal regulations or register them and they will be published in the Canada Gazette. It appears that there will be an unspecified period before the federal regulations coming into force to permit organizations to implement the new requirements.

photo credit: Ian Muttoo Happy Canada Day! via photopin (license)

Comments

If you want to comment on this post, you need to login.