Unsure About Mandatory Breach Reporting Obligations? OPC Publishes Draft Guidelines About What You Need to Know

October 2, 2018

By Amanda Branch

The Office of the Privacy Commissioner of Canada (the “OPC”) has published draft guidelines (the “Guidelines”) on mandatory breach reporting under the Personal Information Protection and Electronic Documents Act (“PIPEDA”) and the Breach of Security Safeguard Regulations.

Starting November 1, 2018, organizations subject to PIPEDA will be required to:

  • report to the OPC breaches of security safeguards involving personal information that pose a real risk of significant harm to individuals
  • notify affected individuals about those breaches, and
  • keep records of all breaches (regardless of whether or not they meet the harm threshold for reporting).

An organization may also be required to notify other organizations or government institutions of the breach if such organization or institution may be able to mitigate or reduce the risk of harm to affected individuals.

What should organizations know about breach reporting?

Penalties. Failure to report a breach or to maintain required records is an offence under PIPEDA and non-compliance is punishable by a fine of up to $100,000.

Who should report. Generally speaking, the organization that is in control of the personal information involved in the breach must report the breach.

What to report. An organization must report to the OPC a breach of security safeguards involving personal information under its control if it is reasonable in the circumstances to believe the breach creates a real risk of significant harm to the individual. Organizations are not expected to report all breaches (but recall, organizations are required to keep a record of all breaches).

The Guidelines suggest that organizations develop a framework for assessing the real risk of significant harm. This will help to ensure breaches are assessed consistently.

What does a “real risk of significant harm” actually mean?

“Significant harm” includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.

Assessing a “real risk of significant harm” should be based on an assessment of the sensitivity of the personal information involved in the breach and the probability the personal information has been/is/will be misused.

The Guidelines provide additional details to help an organization with this assessment. 

How to report. The OPC has created a useful form (currently in draft, comments invited) that organizations can use to report a breach to the commissioner.

The breach should be reported to the OPC as soon as feasible after the organization determines a breach has occurred, even if not all information is known or confirmed. Organizations can update the form if/when they become aware of new information.

What about notifying individuals?

When to notify. Unless otherwise prohibited by law, any time an organization determines that a breach poses a real risk of significant harm to an individual, the organization must notify the affected individual and must include the prescribed information.

The notification must be given as soon as feasible after the organization determines a breach has occurred.

How to notify. The notification must be conspicuous and given directly to the individual (except in circumstances set out in the regulations where indirect notification is allowed).

The Guidelines provide additional details on what to include in the notification as well as how the notification must be done. 

Record keeping requirements – what are they?

Organizations subject to PIPEDA must keep records of every breach of personal information under its control – regardless of whether or not there is a real risk of significant harm.

Contents of a record.

The Guidelines state, that at minimum, it expects a record to include:

  • date or estimated date of the breach;
  • general description of the circumstances of the breach;
  • nature of information involved in the breach;
  • whether or not the breach was reported to the Privacy Commissioner of Canada/individuals were notified; and
  • if the breach was not reported to the Privacy Commissioner/individuals, a brief explanation of why the breach was determined not to pose a “real risk of significant harm.”

The Guidelines state that personal information does not need to be included in the record, unless it is necessary to explain the nature and sensitivity of the information.

How long to keep a record.

PIPEDA requires the record to be kept for a period of 24 months from the day that the organization determined that a breach occurred.

By way of background, in 2015 the Digital Privacy Act introduced significant amendments to PIPEDA, including the creation of mandatory data breach reporting and record keeping requirements. In April 2018, the federal government published the Breach of Security Safeguard Regulations which set out the requirements for the new mandatory reporting regime. These regulations come in to force on November 1, 2018.

The Guidelines, published on September 17, 2018, invite interested parties to provide feedback by October 2, 2018.

Information on this website is for information only. It is not, and should not be taken as, legal advice. You should not rely on, or take or not take any action, based upon this information. Professional legal advice should be promptly obtained. Bereskin & Parr LLP professionals will be pleased to advise you.

Author(s):

Amanda Branch Amanda Branch
B.A. (Hons) Psych., J.D.
Associate
416.957.1690