Corporate Law Author: Rosalyn Chan To Report or Not to Report?: There is No Question! In June of 2015, the Canadian federal Digital Privacy Act came into force, amending the Personal Information Protection and Electronic Documents Act(“PIPEDA“) to, among other updates, include mandatory breach notification requirements. Nearly three years later, the federal Government recently announced that the new obligations will come into force on November 1, 2018. What do you have to do now? The new breaches of security safeguard obligations include:
  1. reporting to the Office of the Privacy Commissioner of Canada (the “OPC“);
  2. notifying all affected individuals;
  3. notifying third party organizations and/or government institutions; and
  4. keeping records of all breaches of security safeguards.
Once these provisions come into force, organizations that are subject to PIPEDA will be required to, as soon as feasible, report to the OPC and notify all affected individuals of any breach of personal information in the organization’s control that reasonably creates a “real risk of significant harm to an individual”. “Significant harm” is broadly defined under PIPEDA to include: bodily harm, humiliation, damage to reputation or relationships, loss of employment or business opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.  Organizations will be required to determine whether there is a “real risk of significant harm” by considering factors which include the sensitivity of the personal information involved in the breach and the probability that the personal information has been, is being, or will be, misused. Organizations are also required under PIPEDA to notify any other organizations or government institutions of any such breach of personal information, if such organization or government institution may be able to reduce the risk of harm or mitigate the harm to the affected individual. Further, and perhaps the most onerous obligation included in these amendments to PIPEDA, organizations are now obliged to keep and maintain records of each and every breach of security safeguards involving personal information for a period of 24 months after a breach has occurred. There is no minimum threshold (such as “significant harm”) that such breaches are subject to in order to be included in these records. Organizations must also provide the OPC with access to copies of these records upon request. What information is required in the reports and notifications?
  • Report to the OPC: Organizations will be required to describe the breach, provide details as to when the breach occurred, the personal information that was the subject of such breach, the estimated number of affected individuals, and the current and planned response of the organization. The OPC has provided some guidance, including submission forms on their website for use when reporting a privacy breach to the OPC.
  • Notification to Affected Individuals: In addition to the information organizations are required to include in the report to the OPC, organizations must include information about steps the individual may take to reduce harm, the organization’s complaint process and the individual’s rights under PIPEDA.
Difficulties
These new obligations create a few new challenges for organizations navigating applicable privacy laws and regulations. In particular, the interpretation and practical operational effects of what constitutes “significant harm” given its broad definition is very likely result in uncertainty and questions. Currently, there is a lack of objective guidelines, policies or formulas that organizations can rely on to determine whether breaches of personal information constitute “a real risk of significant harm” and thus, trigger the reporting and notifications requirements. This analysis will be especially important for large organizations controlling significant amounts of data in order to minimize operational inefficiencies in connection with analyzing each data breach on a case-by-case basis, with little to no threshold guidance. We hope to see the OPC develop guidelines or provide resources to allow organizations to better determine when their obligations are triggered. What remains unclear is the outcome of reporting to third parties. How should organizations identify other organizations or government institutions that may be able to reduce or mitigate the harm to the affected individual? Once these third party organizations or government institutions are notified, what are their obligations? Of particular concern may be that such third parties are not governed by PIPEDA to take any action with respect to any breaches reported to them, nor are they subject to nondisclosure obligations with respect to details of such breaches. Further, as mentioned above, organizations are now subject to onerous record keeping obligations, which will require them to record and store even the most trivial breaches that pose little to no harm to any individuals. For many organizations that control large amounts of personal data, such as retail businesses or media platforms, this new requirement imposes a significant operational obligation that may prove to be very costly, especially when considering that each instance of non-compliance with these mandatory breach notification requirements and record keeping obligations are considered an offence, which may carry a hefty fine per offence. Only time, and hopefully further guidance from the OPC, will tell.  In the meantime, the message is clear: when in doubt, report loudly and report often. This post is for informational purposes only and does not constitute legal advice or an opinion on any issue. If you are interested in receiving additional details on the topic above or advice about specific circumstances, please contact MEP Business Counsel at 604-669-1119 or info@meplaw.ca.