Breach notification has become a matter of accountability and best practice, even if there is no legal obligation to notify individuals whose information has been compromised. By way of example, recently more than 1,500 people were potentially affected by a privacy breach involving an internal website used by Prairie Mountain Health.
The breach of the regional health authority’s website, which is also used by Emergency Medical Services, involved patient information regarding ambulance transportation records from 2013 to this year. The information at risk of compromise included demographic and clinical information regarding clients as well as limited employment information.
According to the media release, best efforts were made by Prairie Mountain Health to provide written notification to impacted individuals as soon as reasonably possible so that any necessary precautions could be taken.
Although the breach notification and reporting obligations amended PIPEDA in June of 2015, they are not yet a legal requirement. PIPEDA jurisdictions, such as Manitoba, Saskatchewan, Ontario and the Maritimes, can expect the following new rules to be put into force by the end of 2017 or early 2018 for a ‘breach of security safeguards’:
- The regulator, being the Office of the Privacy Commissioner of Canada (OPCC) and affected individuals will need to be notified if the breach poses a “real risk of significant harm” to the individual. The risk is based on the sensitivity of the personal information and the likelihood of misuse;
- Records of breaches will need to be maintained and produced upon request by the OPCC; and
- Third parties who can mitigate the risk of harm to the individual will also need to be notified.
The definition of a ‘breach of security safeguards’ references the failure to meet one of the safeguards listed in Clause 4.7 of Schedule 1 of PIPEDA, which supports the opinion that Schedule 1 (the Canadian Standards Association Model Code for the Protection of Personal Information), with its language of recommendations and best practices, should be taken seriously. Consider the examples of physical, organizational and technical safeguards in Clause 4.7 as requirements.
The definition is intended to include two elements – the first being that personal information is lost, or accessed by an unauthorized individual (either through theft or wrongful disclosure), and second, that the loss or unauthorized access is the result of someone violating the organization’s security safeguards (or is the result of the organization failing to establish such safeguards).
Here is the example provided by Industry Canada in their discussion paper on the breach notification and reporting requirements: The failure of an employee to password protect a database containing customer personal information as required by an organization’s security policy, which resulted in the database being accessed by contract employees not authorized to view it, would meet the definition of a data breach under PIPEDA. However, a failure to password protect the database alone, without the data being accessed by an unauthorized individual, would not meet the definition of a “breach of security safeguards” in the Act.
Breaches can be identified internally or externally, and based on the breaches we see reported in the media, most are accompanied by some element of human error. The voluntary guidelines developed by the Office of the Privacy Commissioner of Canada, Key Steps for Organizations in Responding to Privacy Breaches, outlines four key steps in breach management:
1. Breach containment and preliminary assessment;
2. Evaluate the risks associated with the breach;
3. Notification and reporting; and
4. Prevention of future breaches.
I highly recommend that all organizations consider using these guidelines to inform their breach response plans.
PIPEDA’s offence provisions will also be modified to create offences for non-compliance with data security breach obligations. Organizations may face fines per violation of up to $10,000 for a summary offence, or up to $100,000 for an indictable offence for failure to report or record a breach or hindering the commissioner’s efforts to investigate a complaint or perform an audit.
Alberta’s Personal Information Protection Act has contained a duty to notify the Alberta Information and Privacy Commissioner of breaches that result in a real risk of significant harm to an Alberta resident since 2010 (section 34.1). Regulations set out the content for breach reports and notification letters – it is expected that the PIPEDA regulations we await will like look quite similar. Thus the Alberta commissioner’s website is a good place to go for further planning of an organization’s breach response plans.
It is critical for organization governed by PIPEDA to prepare for the new breach provisions. For assistance with your data breach response framework or procedures, as well as breach recordkeeping, contact PRIVATECH.