Nearly three years after adding a mandatory data breach notification provision to its federal privacy law, Canada has taken steps that will effectuate the dormant requirement. The Governor General in Council, on the recommendation of the Minister of Industry, issued an Order in Council declaring that the notification provision, among other provisions in the Digital Privacy Act of 2015, would go into effect on November 1, 2018. On the same day, complementary regulations issued by the Department of Industry in September 2017 will also go into effect.
Beginning in November 2018, the Personal Information Protection and Electronic Documents Act (“PIPEDA”) will require organizations with “control” over personal information to report a “breach of security safeguards” to the Privacy Commissioner of Canada if it is reasonable to believe that the breach creates a “real risk of significant harm.” Organizations must also notify any individual whose information was impacted by the breach. In both cases, notification must be provided as soon as feasible after determining a breach has occurred. A “breach of security safeguards” means the loss of, unauthorized access to, or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards or from a failure to establish safeguards. According to prior Privacy Commissioner guidance on Key Steps for Organizations in Responding to Privacy Breaches, organizations with “control” over personal information are generally those that have the direct relationship with the affected individuals.
The statute defines “significant harm” as including bodily harm, humiliation, damage to reputation or relationships, loss of employment, business, or professional opportunities, financial loss, identity theft, negative effects on the credit record, and damage to or loss of property. It further defines factors that are relevant to determining whether a breach creates a “real risk” of significant harm as including:
- the sensitivity of the personal information involved in the breach;
- the probability that the personal information has been, is being, or will be misused; and
- any other prescribed factor.
The regulations identify the minimum content requirements for notifications to individuals and the Privacy Commissioner. As the comments in the Regulatory Impact Analysis Statement indicate, the requirements are similar to those of the Alberta Personal Information Privacy Act, which already includes a mandatory breach notification requirement, as well as the EU General Data Protection Regulation.
Entities that must notify an individual of a breach must also notify any other organization, including service providers, of the breach if they believe that the other organization may be able to reduce the risk of potential harm or mitigate actual harm caused by the incident.
The regulations also require entities to maintain a record of every breach of security safeguards – regardless of whether the breach poses a “real risk of significant harm” – for at least 24 months after determining that a breach occurred, somewhat akin to the ledgering requirements in Article 33 of the GDPR. Organizations will be required to provide the Commissioner with access to, or a copy of, these records on request. As a result, the records should include “sufficient information . . . to demonstrate that [organizations] are tracking data security incidents that result in a breach of personal information” to enable the Privacy Commissioner to verify compliance with the new reporting requirements.
Entities may be subject to fines of up to $100,000 for knowing violations of these requirements. Because PIPEDA contains a private right of action, violations could potentially also result in damages for failure to notify affected individuals. As a result, companies doing business in Canada may want to evaluate their incident response plans and compliance strategies with respect to the upcoming Canadian breach response requirements as well as further evaluate their vendor agreements to ensure that “control” over personal information is clearly delineated. Companies in control of such data may also want to ensure that service providers are contractually obligated to provide prompt notice of any breaches of security, as PIPEDA does not directly require this.