Are you ready for Nov. 1? That's the day PIPEDA’s breach notification requirement comes into force. To help organizations prepare, the Office of the Privacy Commissioner recently released its draft guidance on how to report a breach to that office. The draft guidance is found here, and the OPC is also seeking your input on whether or not you think the guidance is helpful.
One thing that we found intriguing in the draft was the discussion about control. Organizations that have control over personal information that is breached must report it. Figuring out who has control can sometimes be tricky, and the OPC seems to be taking an expansive interpretation. They cite this as an example:
• Company A engages Company B as a subcontractor to process personal information on Company A’s behalf.
• Company A learns that Company B has incurred a breach that involves the personal information it is processing for Company A.
• We would expect that both companies would report the breach to the OPC.
I’m not sure why it would be necessary for both companies to report the breach. Moreover, if the contract between Company A and Company B is properly drafted, it is unlikely that Company B would have any meaningful control over the personal information. While they would have custody, it wouldn’t necessarily follow that they would have control because they would be contractually bound to process the personal information in specified ways.
All privacy pros should take a moment to read the draft guidance. If you do and if something catches your eye, will you submit your comments to the OPC? We hope you do. Feedback on how this kind of guidance can be operationalized on the ground is important. Don’t sit quietly now and complain about an element of it later! And, more generally, time to gear up for Nov. 1!
If you want to comment on this post, you need to login.