Federal Privacy Commissioner Releases Final Breach Reporting Guidelines

Controller Responsibilities Clarified

Days before the coming into force of the PIPEDA Breach of Security Safeguards Regulations on November 1st, the Office of the Privacy Commissioner of Canada (OPCC) has published final guidelines to assist organization with compliance.  The following is a summary of the key changes between the draft and final guidelines:

  1. Who is responsible for reporting the breach? The draft guidelines stated: “We expect that reports from all organizations involved int eh breach should be sent to us”. The draft further provided examples of outsourcing relationships suggesting that when your service provider has a breach, they need to report it to the OPCC, as does the organization in control of the data (the “controller”) who engaged the service provider (the “processor”). During the short consultation period on the regulations, many stakeholders submitted that requiring both the controller and the processor to report the breach would be largely inconsistent with existing business practices and raise various operational concerns. The OPCC has thus modified this guidance and the final version states: “We find it reasonable to interpret the principal organization as having control of the personal information and therefore responsibility for breach reporting in respect of a breach that occurs with the third party processor.” The final guidelines warn that in complex business relationships, determining who has personal information “under its control” needs to be assessed on a case-by-case basis, by analyzing relevant contractual arrangements and the commercial realities between organizations.
  2. The OPCC has also added to the section of the guidelines addressing breach recordkeeping that the obligation to keep such records rests with the controller of the personal information implicated in the breach.
  3. Similarly, in the section on notifying affected individuals, the OPCC clarifies that the obligation to notify individuals of a breach rests with the controller of the personal information implicated in the breach.
  4. The draft guidelines stated that if a breach was not reported to the OPCC, organizations must include in their breach records a brief explanation of why the breach was determined not to pose a ‘real risk of significant harm’. This is softened in the final guidelines to state that the record could include such an explanation, or any other sufficient details for the OPCC to assess whether an organization has correctly applied the real risk of significant harm standard.
  5. Lastly, the Breach Report Form has been separated from the guidelines.   The mandatory section on describing the circumstances of the breach now asks the reporting organization to describe all organizations involved in the breach including their roles with respect to the personal information in question. This is where processors would be identified.

The Breach Report form is a fillable PDF document that can be printed and submitted by postal mail or sent to notification@priv.gc.ca

For assistance with your breach response plans, contact PRIVATECH.