Privacy Breach Ready in Canada?

Final Breach of Security Safeguards Regulations Published

The Federal Government published the final data breach regulations that come into force on November 1, 2018, making it mandatory for organizations governed by PIPEDA to notify affected individuals and report breaches to the Office of the Privacy Commissioner of Canada (OPCC). The regulations clean up many of the drafting issues identified during the consultation period that occurred when the draft regulations were released in September 2017. Prescriptive requirements in the draft regulations have been replaced with language that allows for better flexibility with respect to the manner of providing direct and indirect notification of a breach to individuals.

The notification and reporting obligations will be triggered when an organization determines that a privacy breach poses a real risk of significant harm (‘RROSH’ test). The sensitivity of the information and the probability that it will be misused factor into whether this threshold has been met, but it is hoped that the OPCC will offer additional guidance, as was suggested during consultation period. We can certainly turn to RROSH decisions published by the Alberta Commissioner for further guidance, since the test was introduced in the Alberta legislation in 2010 when the Alberta Personal Information Protection Act was amended.

Mandatory breach recordkeeping, for a minimum of 24 months after the organization determines that a breach has occurred, is also introduced by the new regulations. This gives the OPCC the ability to request such records to verify that appropriate RROSH determinations are being made.

To give the regulations some teeth, organizations that knowingly fail to report to the OPCC or notify affected individuals of a breach that poses a RROSH, or knowingly fail to maintain a record of all breaches, could face fines of up to $100,000.

Keep in mind that a ‘breach of security safeguards’ is defined as any loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards that are referred to in clause 4.7 of Schedule 1 of PIPEDA or from a failure to establish those safeguards. This clause (Principle 7 of the CSA Model Code) references physical, organizational and technical controls that become more important than ever to implement  within your organization.

For assistance with preparing for the coming into force of the Breach of Security Safeguards Regulations in the Fall, contact PRIVATECH.