A month ago, on November 1, 2018, PIPEDA’s Breach of Security Safeguards Regulations came into force, making breach notification, reporting and recordkeeping mandatory in Canada. The Federal Privacy Commissioner released final guidelines to address key aspects of the regulations on October 30th.
The legal trigger for reporting the breach to the regulator and notifying affected individuals is whether the breach results in a “real risk of significant harm” (RROSH). The critical steps in analyzing RROSH involve identifying the type of harm that may result and assessing the likelihood that the harm could result. The likelihood of harm must be based on the sensitivity of the information and the probability of misuse. Although what is considered sensitive is not defined in PIPEDA, certain types of information, such as medical and financial records have traditionally been considered sensitive. However, the Commissioner has stressed that sensitivity is context specific, and the very circumstances of the breach may make the information more or less sensitive. The example given in the Commissioner’s guidelines is names and addresses of subscribers to a news magazine (likely not sensitive) vs. the names and addresses of subscribers to a special interest magazine that could be very sensitive. The Commissioner has also provided a number of questions that could be asked to assess the probability of misuse. These questions cover the personal information affected, who has access to it and what the unintended recipient could do with it.
It is important to keep in mind that mandatory breach reporting has existed in Alberta since 2010 under Alberta’s Personal Information Protection Act (PIPA). Under the Alberta law, where the Alberta Commissioner finds that the RROSH test has been met with respect to an Alberta resident, the decision is published at https://www.oipc.ab.ca/decisions/breach-notification-decisions.aspx and the organization is required to notify the affected individuals. There are just under 130 published Alberta RROSH decisions for 2018, and given that the test in the PIPEDA regulations is adopted from Alberta, this provides an excellent resource for interpreting RROSH. We can expect the Federal Commissioner to address RROSH and review whether PIPEDA-governed organizations are appropriately interpreting the test in a manner that closely resembles the RROSH decisions in Alberta.
At the Toronto IAPP KnowledgeNet on December 3rd, discussions on what to put in your breach records, claiming solicitor-client privilege over certain records and developing a consistent framework for determining RROSH highlighted that compliance challenges are being felt by organizations. Privacy Officers, with support across the organization, and in particular from those tasked with overseeing IT Security, must dedicate time and resources to developing a strong breach response plan.