On September 17, 2018, the Office of the Privacy Commissioner of Canada (OPC) published draft guidelines on mandatory breach reporting under the Personal Information Protection and Electronic Documents Act (PIPEDA). The guidelines are intended to assist organizations in meeting their breach reporting and record-keeping obligations under PIPEDA’s mandatory breach reporting regime, which comes into force on November 1, 2018. Organizations have until October 2, 2018 to provide feedback on these draft guidelines.
BACKGROUND
In 2015, amendments to PIPEDA (in the Digital Privacy Act) introduced provisions that created a federal mandatory breach reporting regime for Canada’s private sector. In April 2018, the federal government published the Breach of Security Safeguards Regulations (Regulations) setting out the requirements of the new regime, and announced that the Regulations would come into force on November 1, 2018.
BREACH REPORTING REQUIREMENTS
Starting November 1, 2018, organizations will be required to notify the OPC and affected individuals of “a breach of security safeguards” involving personal information under the organization’s control where it is reasonable in the circumstances to believe that the breach creates a “real risk of significant harm” to affected individuals. Other organizations and government institutions must also be notified where such organization or institution may be able to mitigate or reduce the risk of harm to affected individuals. Organizations must also keep and maintain records of all breaches of security safeguards regardless of whether they meet the harm threshold for reporting.
Failure to report a breach or to maintain records as required is an offence under PIPEDA, punishable by a fine of up to C$100,000.
For more details on the requirements of PIPEDA’s breach reporting regime, please see our previous Blakes Bulletins: Federal Data Breach Reporting Regulations Published – Take Effect November 2018, Cybersecurity Data Breaches and Mandatory Privacy Breach Reporting: Lessons from Alberta, One Step Closer to Mandatory Breach Reporting Across Canada: Consultations Open and Digital Privacy Act Receives Royal Assent, but Breach Notification Provisions Lag Behind.
DRAFT GUIDELINES
The draft guidelines are intended to assist organizations in meeting their breach reporting and record-keeping obligations under PIPEDA. Unfortunately for stakeholders, much of the information in the draft guidelines is simply a reiteration of the legal requirements as set out in PIPEDA and the Regulations.
However, the draft guidelines provide additional guidance in certain areas, including:
Who Is Responsible for Reporting a Breach?
Unfortunately, in this respect, the additional guidance is not helpful. The breach reporting provisions of PIPEDA require an organization to report and keep records of breaches involving personal information under the organization’s control. According the PIPEDA’s accountability principle, an organization that outsources information-processing activities to a third party remains in control of the information and the service provider simply acts as a processor. The draft guidelines reiterate this concept, but then go on to say that both the controlling organization and the service provider have an obligation to report breaches to the OPC. This is not what the law requires and will be problematic for controllers and service providers alike. In particular, existing contractual arrangements are likely to require service providers to notify the controller of a breach but to prohibit service providers from notifying individuals or regulators. These notification obligations will fall to the controller. Controllers, who are the parties that generally bear the greatest legal, financial and reputational risk from a breach, will usually have an interest in controlling all communications relating to the incident. Among other things, multiple reports create risks of confusion that could complicate any response by the OPC.
When Does a Breach Create a Real Risk of Significant Harm?
The draft guidelines state that organizations should develop a framework for assessing the real risk of significant harm so that all breaches are assessed consistently. They also state that the factors to consider in determining whether a breach creates a real risk of significant harm include the sensitivity of the personal information involved and the probability of misuse. They also provide a non-exhaustive list of the types of harm that will be considered “significant”. The draft guidelines provide a non-exhaustive list of questions that could be asked in making this assessment. While this list is helpful, stakeholders may have expected more detailed guidance in this area, including concrete examples of situations that do and do not create a real risk of significant harm.
Form of Report
As part of the consultation, the OPC has prepared a draft report form that organizations may use to report a breach. Certain fields on the form are marked as mandatory and others are optional. The mandatory fields largely align with the information that is required to be included in the report under the Regulations. Some of the fields (such as type of breach, and method used to notify individuals) provide drop-down menus with pre-determined responses, which are problematic since not all possible responses are available.
What Information Must Be Included in a Breach Record?
The draft guidelines state that at minimum, the OPC would expect breach records to include:
-
The date or estimated date of the breach
-
A general description of the circumstances of the breach
-
The nature of information involved in the breach
-
Whether the OPC and/or affected individuals were notified and if not, a brief explanation of why the breach was determined not to pose a “real risk of significant harm”.
These record-keeping obligations are consistent with the OPC’s previous submissions to Innovation, Science and Economic Development Canada regarding record keeping. The draft guidelines remind organizations that these records (and any reports to the OPC) need not include any personal information unless necessary to explain the nature and sensitivity of the information involved. Organizations will want to give careful thought to the form and content of their breach records, particularly as they may ultimately be producible in litigation arising out of a breach.
Organizations have until October 2, 2018 to provide feedback on these draft guidelines.