On September 17, 2018, the federal Office of the Privacy Commissioner (“OPC”) published its draft guidance about mandatory reporting of breaches of security safeguards (“Draft Guidelines”). The OPC is seeking public comments as it readies itself for a November 1, 2018 implementation date. The Draft Guidelines are divided into six parts and are designed to assist organizations on meeting these new legal requirements.
Part 1 – Obligations for Reporting Breaches
The OPC takes the position that whether a breach affects one person or a thousand, it must be reported if the organization that suffered the breach determines there is a “real risk of significant harm” to an individual. The report must come from the organization which is responsible for the personal information in its possession or custody, including information that may have been transferred to a third party for processing. Accordingly, in these circumstances, the organization will be responsible for reporting a breach that occurred with a third-party service provider.
Part 2 – Submitting a Breach Report to the OPC
The Draft Guidelines include a proposed form for breach reporting to the OPC. It is more fulsome than the existing breach report form and closely tracks the requirements outlined in subsection 2(1) of the Breach of Security Safeguard Regulations (the “Regulations”).
The reporting timeline remains “as soon as feasible” after a breach is discovered, even where all of the information is not known, confirmed or available. Interestingly, the Draft Guidelines specifically state that the information initially provided in the report may be amended or supplemented as it becomes available.
The Draft Guidelines also state that, subject to some limited exceptions, the OPC has a duty to maintain the confidentiality of the breach reports submitted to the Privacy Commissioner under the Personal Information Protection and Electronic Documents Act (“PIPEDA”). Interestingly, the Access to Information Act was amended by the Digital Privacy Act to create a statutory exemption from the disclosure of any data breach report in response to an access to information request.
Part 3 – Keeping Records of All Breaches
Under subsections 10.1(1) and (3) of PIPEDA, organizations are required to keep records of all breaches of personal information under their control. The OPC expects that these records will include, at a minimum the following details:
- date or estimated date of the breach;
- general description of the circumstances of the breach;
- nature of information involved in the breach;
- whether or not the breach was reported to the Privacy Commissioner of Canada/individuals were notified; and
- if the breach was not reported to the Privacy Commissioner/individuals, a brief explanation of why the breach was determined not to pose a “real risk of significant harm.”
The breach records must be kept for at least 24 months and must be produced at the request of the OPC to verify compliance with PIPEDA’s requirements.
Part 4 – When and How to Notify Individuals
Notification to affected individuals must be provided if there is a “real risk of significant harm.” Notification can be provided directly (e.g., telephone, email, mail, etc.) or indirectly (e.g., public announcements, notice on corporate website, etc.). Indirect notification will typically be employed in limited instances.
Just as in the case of the breach report to the OPC, the notice to individual should include each of the elements referenced at section 3 of the Regulations.
Part 5 – Notification to Organizations
The Draft Guidelines also reiterate that when notifying individuals of a breach involving a “real risk of significant harm,” organizations must also notify any other government institutions or organizations that can reduce the risk of harm resulting from the breach or that can mitigate the harm.
Part 6 – Assessing Real Risk of Significant Harm
The Draft Guidelines state that organizations should develop a framework for assessing the “real risk of significant harm” so as to assess all breaches in a consistent manner. In this regard, they should identify the (i) sensitivity of the information, and (ii) probability of its misuse.
The Draft Guidelines provide a non-exhaustive list of factors that organizations should consider when building their framework.
The Draft Guidelines are helpful in terms of providing organizations a sense of the OPC’s minimal expectations when it comes to data breach reporting and record-keeping. However, they would have benefited from a discussion on the factors the OPC would consider from an enforcement standpoint – in particular, what factors it would consider when issuing fines for non-compliance. Interested organizations have until October 2, 2018 to submit their comments on the Draft Guidelines.
 “Significant harm” includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property. A “real risk of significant harm” must be determined based on an assessment of the sensitivity of the personal information involved in the breach and the probability the personal information have been/is/will be misused.