On September 2, 2017, Innovation, Science and Economic Development Canada (ISED) published a proposed draft of PIPEDA’s Breach of Security Safeguards Regulations. A 30-day timeline has been given for stakeholder comments and feedback, but it is unlikely that the consultation will result in any significant changes, given that the regulations were drafted in light of an already thorough consultation process last year.
Breach notification and reporting Requirement
The proposed regulations specify the minimum content and form requirements when providing a data breach report to the Office of the Privacy Commissioner of Canada (OPCC), and when notifying affected individuals of a data breach, as will be required when a breach poses a ‘real risk of significant harm’. When PIPEDA was amended in 2015, it was felt that the new regs would provide guidance on this test. However, in response to feedback from stakeholders, ISED has decided that guidelines are more appropriate to provide further direction on conducting an assessment of risk and determining which third party organizations should be informed of a breach (the law requires third parties to be notified of a breach if they are believed to be in a position to mitigate the risk of harm).
The Alberta Information and Privacy Commissioner’s office has been practicing assessing risk of harm since 2010, when the Alberta PIPA was amended to include mandatory breach reporting and notification. The way in which the analysis addresses ‘harm’ and then ‘significant risk’ is instructive. Organizations who will be subject to the PIPEDA breach response requirements should get accustomed to conducting a similar 2-step analysis.
The draft regulations deliberately leave open what kind of information would constitute a ‘record’ under the breach recordkeeping obligations and in fact, state that a breach report to the Commissioner is in and of itself a record of a breach of security safeguards. As stated in the Regulatory Impact Analysis Statement published by ISED, it is important to stakeholders and the government to ensure “flexibility to allow organizations to implement requirements in a manner that fits their particular circumstances”.
ISED has made it clear that the expectation is that records will be kept of all breaches, regardless of how big or small, and not just ‘material’ or significant breaches. The recordkeeping provisions are intended to provide the OPCC with the necessary information to determine if breaches are being responded to adequately, and as stated by ISED, “consistency in reporting will allow for metrics to be developed for evidence-based policy-making”.
A question that I have often been asked is how long to keep detailed records of breaches, including personal information affected, response timelines and how the breach was investigated and resolved. This question has been answered in section 6(1) of the regs, which states that records must be kept for 24 months after the day on which the organization determines that the breach occurred. Thus, the OPCC can request and review the history of breaches experienced by an organization within a two-year window. This is a minimum requirement – organizations may determine that a longer timeframe is necessary for their own assessment and planning activities.
PRIVATECH is hosting webinars on the breach of security safeguards regulations and implementing an effective breach response program. CLICK HERE for the webinar brochure, or visit PIPEDABreach.com to register. Space is limited.
Recent related blog article: