The data breach notification requirements under Canada's Personal Information Protection and Electronic Documents Act come into effect today. Organizations subject to PIPEDA are now required to notify the Privacy Commissioner of Canada, affected individuals and, in some cases, other organizations, of any breach of security safeguards involving personal information under an organization’s control if it is reasonable to believe that the breach creates a real risk of significant harm to an individual. A breach of security safeguards is defined as “… the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards [required under PIPEDA] or from a failure to establish those safeguards”.
This change has been a long time coming. The House of Commons Standing Committee on Access to Information, Privacy and Ethics recommended that PIPEDA be amended to include a breach notification requirement following a review of the legislation that began in 2006. The bill that included the new requirements in PIPEDA was passed by Parliament in the summer of 2015, and the government has since then been consulting and developing regulations.
Breach notification requirements have existed in the U.S. as far back as 2002. In 2010, Alberta became the first Canadian jurisdiction to implement breach notification in private sector privacy legislation. So this is not exactly earth-shattering stuff, and no one can claim they’ve been caught off guard.
The notification requirements in PIPEDA are similar to those in Alberta, although not exactly. This means that the threshold for reporting will likely be lower in practice than it appears on paper, as “a real risk of significant harm” has been interpreted in Alberta very broadly to include virtually any kind of breach involving personal information.
However, there are a some notable differences. PIPEDA is federal legislation that applies to organizations in every jurisdiction, except for provincially-regulated organizations in Alberta, British Columbia and Quebec. So it applies much more widely than the Alberta requirements.
And, unlike Alberta, PIPEDA requires organizations to keep a record of every breach of security safeguards, regardless of whether there is a real risk of significant harm. These records must be retained for two years, and provided to the OPC if requested.
By now a mandatory requirement in PIPEDA may almost seem redundant. Even without a legal obligation to do so, organizations have been voluntarily reporting breaches to the OPC for many years. And there are legitimate questions about the purpose of breach notification, including whether there is still value in notifying consumers about every breach that occurs.
Understandably, the OPC believes that notification is a good idea. However, the Commissioner is not entirely happy with the data breach notification regulations, nor the fact that his office has not been provided with additional resources, stating that the “the office’s work will be somewhat superficial and the regime will be less effective in protecting privacy.” Policy-making sure can be a thankless task.
However, all of this effort has not necessarily been a waste of time, as there are some concrete benefits to a mandatory requirement.
Most importantly, the decision of whether to notify the OPC when a breach occurs has become a bit easier. If PIPEDA applies, and there is a “real risk of significant harm,” then the decision is pretty clear.
Also, organizations that report to the OPC no longer have to worry about their problems being disclosed to the public under the Access to Information Act. The OPC took the view that the confidentiality provisions under PIPEDA did not apply to voluntarily provided breach reports because they were not obtained as a result of the performance or exercise of any of the Commissioner’s duties or powers, and were therefore open to the public. Breach reports are now excluded from access to information requests.
And although initial guidance from the OPC suggested that both the “principal organization “ (e.g., “controllers”) and the “third-party processor” would need to notify if a breach occurred involving personal information that had been transferred to a third party for processing, this guidance has since been revised to reflect the definition of “control” in Canadian law. Absent unusual circumstances, only the principal organization needs to notify, as would be expected.
So, no need to panic — for many organizations, this is mostly business-as-usual.
photo credit: Free Grunge Textures - www.freestock.ca Canada Grunge Flag via photopin(license)