On October 29, 2018, the federal Office of the Privacy Commissioner (“OPC”) published the final version of its guidelines in connection with mandatory reporting of breaches of security safeguards (the “Guidelines”), ahead of the coming into force of the Breach of Security Safeguards Regulations (the “Regulations”) on November 1, 2018.
Beginning on November 1, 2018, organizations to which the Personal Information Protection and Electronic Documents Act (“PIPEDA”) applies will be required to: (i) report to the OPC breaches of security safeguards involving personal information; (ii) notify individuals affected by breaches; and (iii) maintain records of breaches. For a more detailed discussion of the upcoming changes, please see our prior analysis (click here).
The Guidelines include input received through public consultations (see our prior analysis on the draft Guidelines). They are divided into six parts and are designed to assist organizations in meeting the new legal requirements.
Part 1 – Obligations for Reporting Breaches
The OPC takes the position that regardless of the number of individuals affected by a breach, a report must be submitted if the organization that suffered the breach determines there is a “real risk of significant harm” (commonly known as the “RROSH” test) to a single individual.
The report must come from the organization that is responsible for the personal information in its possession or custody, including information that may have been transferred to a third party for processing (i.e. any action taken relating to personal information, including storing, disclosing or otherwise using the personal information on behalf of the controller). Even where the breach occurred with a third-party service provider, the organization that collected the personal information (the “controller”) in the first place will be responsible for reporting the incident. As a result, organizations considered to be controllers will need to ensure that sufficient agreements govern their relationships with processors.
Part 2 – Submitting a Breach Report to the OPC
The Guidelines include a new breach report form to be used by organizations when reporting an incident to the OPC. It is more fulsome than the existing breach report form and closely tracks the requirements outlined in subsection 2(1) of the Regulations.
The timeline for reporting remains “as soon as feasible” after a breach is discovered, even where all information relating to the breach is not yet known, confirmed or available. Interestingly, the Guidelines specifically state that the information initially provided in the report may be amended or supplemented as it becomes available.
Subject to some limited exceptions, the OPC has a duty to maintain the confidentiality of the breach reports submitted to the Privacy Commissioner under PIPEDA. Interestingly, the Access to Information Act was amended by the Digital Privacy Act to create a statutory exemption from the disclosure of any data breach report in response to an access to information request.
Part 3 – Keeping Records of All Breaches
Under subsections 10.1(1) and (3) of PIPEDA, organizations are required to keep records of all breaches of personal information under their control, even in cases where the breach was not reported to the OPC. The OPC expects that these records will include, at a minimum, the following details:
- date or estimated date of the breach;
- general description of the circumstances of the breach;
- nature of information involved in the breach;
- whether or not the breach was reported to the Privacy Commissioner of Canada / individuals were notified; and
- if the breach was not reported to the Privacy Commissioner / individuals were not notified, a brief explanation of why the breach was determined not to pose a “real risk of significant harm.”
Breach records must be kept for, at least, 24 months and must be produced at the request of the OPC to verify compliance with PIPEDA’s requirements.
Part 4 – When and How to Notify Individuals
Notification to affected individuals must be provided as “soon as feasible” after a breach is discovered if there is a “real risk of significant harm.” Notification can be provided directly (e.g., telephone, email, mail, etc.) or, under certain limited circumstances (where direct notification would likely cause further harm to the affected individual, undue hardship for the organization, or where the organization does not have the contact information for the affected individual), indirectly (e.g., public announcements or notice on corporate website).
Canadian organizations to whom the European Data Protection Regulation (“GDPR”) applies should be mindful of the differences in the notification guidelines. Importantly, under the GDPR, relevant breaches must be reported within 72 hours of discovery.
Just as in the case of the breach report to the OPC, the notice to individuals should include each of the elements listed under section 3 of the Regulations.
Part 5 – Notification to Organizations
The Guidelines reiterate that when notifying individuals of a breach involving a “real risk of significant harm,” organizations must also notify any other government institutions or organizations that can reduce the risk of harm resulting from the breach or that can mitigate the harm, such as law enforcement.
Part 6 – Assessing Real Risk of Significant Harm
The Guidelines provide that organizations should develop a framework for assessing the “real risk of significant harm” so as to assess all breaches in a consistent manner. In this regard, they should identify: (i) the sensitivity of the information; and (ii) the probability of its misuse. This framework should be documented, and organizations should be prepared to share this procedure with the OPC upon request.
The Guidelines also provide a non-exhaustive list of factors that organizations should consider when building their framework.
The Guidelines outline the OPC’s minimal expectations when it comes to the mechanics of data breach reporting and documentation (and retention of those records) related to complying with those obligations. They are helpful insofar as they provide organizations with a sense of the OPC’s likely enforcement approach when it comes to assessing compliance with the new regulations. It will be very worthwhile to monitor how organizations will now apply these Guidelines in practice, as well as the OPC’s response to those compliance efforts.
 “Significant harm” includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property. A “real risk of significant harm” must be determined based on an assessment of the sensitivity of the personal information involved in the breach and the probability the personal information have been/is/will be misused.