When Bill S-4 passed last summer, all of the amendments to Canada’s private sector privacy law, PIPEDA, came into enforce immediately, except for one: breach notification. 

While S-4 created a mandate for breach reporting, that mandate does not come into force until the Department of Innovation, Science and Economic Development Canada—previously known as Industry Canada, now called ISED by most folks who work with them—determines the regulations for a number of important details surrounding the form notifications will take to both the Office of the Privacy Commissioner and affected individuals, how records will be kept, and how “risk” will be evaluated.

Thus, in March, ISED launched a consultation, whereby businesses and advocates could weigh in on what appropriate regulations might look like. Timothy Banks, CIPP/C, CIPM, has already laid out the in-depth details of the consultation here for Privacy Tracker. On Thursday, ISED came to the Privacy Symposium to meet with privacy professionals face-to-face and get immediate feedback. Jill Paterson, an advisor with ISED, led the discussion.

One particular piece of feedback attendees provided was a desire for consistency, especially with Alberta’s Personal Information Protection Act, which is the only provincial law with breach notification built in. Paterson assured people that the coming regulations would assuredly also use PIPA’s RRSH test for whether notification to individuals is necessary.

RRSH? That’s “real risk of significant harm.” Say it like “rosh.” And get used to it. That’s a term with which companies in Canada will have to become quite familiar, as they’ll have to create a framework for determining whether a breach is a “RRSH breach” or not, building in considerations for the sensitivity of the information and the probability it will come to misuse.

“Once a RRSH breach has been determined,” Paterson noted, “companies will have to notify the OPC, notify individuals, and notify any third parties who might be able to reduce the harm. Then they’ll have to maintain a record of the breach, even if it’s not a RRSH breach.”

What third parties? What do the records have to look like? What form would the notification to individuals take? Those are all still part of the consultation.

For instance, said Paterson, “is the notification to the OPC good enough to fulfill the record-keeping requirement?” Similarly, should law-enforcement have to be notified if there is suspected criminal activity? Should financial institutions always be notified in the case of a retail breach? Does the use of encryption always mitigate the risk of misuse and give one a free pass on notification?

Or are mandates like that too much detail for a regulation that’s supposed to be flexible and stand the test of time?

“We may not put any of that into regulations,” Paterson said. “Maybe we’ll just issue guides or codes of practice,” which are more flexible and can be more easily adjusted if they’re not working out. “Many organizations would like the discretion to make that decision about notification; others would like it in black and white. Smaller organizations maybe don’t have the ability to do these kinds of risk assessments on their own.”

Further, she indicated, ISED aims to make the eventual regulations “practical and effective … not overly burdensome, especially to small businesses.” They’ll also need to be technology-neutral, and align not only with PIPA, but as much as possible with the many U.S. state laws and the EU General Data Protection Regulation’s upcoming requirements.

“We have learned some things,” Paterson said, “from the States — where data breach notification has been in place the longest. For example, the specific time period for reporting is really not practical or feasible. A lot of states have reporting mandated in a certain time frame. But most aren’t even discovered until a long time after they happen, so it seems pointless to require reporting within 48 or 72 hours. We want to give organizations as much time as possible to mitigate and investigate the breach.”

She also mentioned a 2012 study that showed notification letters “seem to be somewhat incomprehensible to most consumers, so that’s why we’re looking carefully at what goes into a letter to consumers.”

Do you have feedback you’d like to provide? Get it in by May 31 by using the information on ISED’s web site right here. Paterson said they hope to have draft regulations for Cabinet review by this fall, with an aim toward final publishing of the regulations by fall of 2017.

However, “even if they’re published in 2017, they won’t necessarily come into force,” she said. “We could delay the coming into force period for some amount of time after that.”

So, if you think you need more time, you might want to mention that as well.