We are almost at the two year mark since mandatory privacy breach reporting and notification came into effect under PIPEDA. Last week the Office of the Privacy Commissioner of Canada (OPCC) released resources to help businesses address privacy breaches. These include a breach record inspection report based on a review in 2019 of the records of 7 telecommunications companies, as well as a series of videos on breach reporting and notification. The OPCC also took the opportunity to highlight the recently launched secure portal for reporting breaches. Although a fill in on-line form has been available for some time, many organizations prefer to report breaches using their own format, and can now securely transmit such a file using the portal. The videos are a regurgitation of the breach guidelines published in 2018, so there is not much new there, other than a format that may be more digestible for some businesses.
Contents of Breach Records
This article thus focuses on the inspection report, as it provides some useful analysis and take-away reminders of what the OPCC expects to see in place for entities subject to PIPEDA. Keep in mind that the law requires organizations to keep and maintain a record of every breach of security safeguards involving personal information for a minimum of 24 months. This is true regardless of the sensitivity of the personal information compromised, or the probability of the information being misused. Even if it is determined that the ‘real risk of significant harm’ (RROSH) legal threshold for reporting and notification is not met, such breaches must form part of the organization’s records, with enough details for the OPCC to determine if the test is being appropriately interpreted should breach records be requested by the regulator.
The inspection report indicates that 40% of the 237 sample records inspected did not include sufficient information for the OPCC to adequately understand the organization’s assessment of RROSH in cases where the organization decided not report the breach. The OPCC encourages organizations to have a systematic framework for assessing whether a breach creates a RROSH. In fact, the OPCC felt that 20% of the sample records involved breaches that the OPCC felt may have been reportable even though the telco concluded they did not need to report. There was either insufficient information or the OPCC actually disagreed and felt RROSH was met. It is clear that RROSH is being interpreted by the industry to be a higher threshold than one might think, so organizations should err on the side of caution and be risk averse when determining whether to report a breach.
The OPCC goes on to remind organizations to reflect on the probability and sensitivity factors when conducting the RROSH assessment. The inspection revealed that only 13% of the sample records included details about whether the organization thought the affected information was sensitive, considering instead only the probability that the personal information might be misused. If you are using a privacy breach reporting form in your organization for documenting and escalating breaches, make sure that sensitivity is separately addressed.
Despite the fact that the OPCC has a statutory right of access to breach records, as expected, the telcos involved (and I’m sure they are relieved to not be individually named) would not provide access to some records or parts of records, claiming that the information is subject to solicitor-client privilege. The OPCC indirectly acknowledged that this was appropriate. The report states, “…even if you need to withhold part of a record because of solicitor-client privilege, your organization needs to ensure your record still includes the prescribed information…”.
A Breach Record Management System
Clearly the importance of a breach record management system cannot be understated. Indexed logs of privacy breaches help to quickly locate similar breaches and ensure they are being treated consistently, as well as ease the production of breach records. Note that the OPCC’s right to access breach records is different from its right to audit organizations, which must be based on reasonable grounds. It is unclear how frequently the OPCC will engage in such inspections.
There are a number of examples of breaches given in the inspection report followed by an analysis of whether there has been a RROSH. Unfortunately these scenarios are quite simple to resolve, and hopefully more complex breaches where RROSH is not as clear-cut will be addressed in the future. I recommend reviewing these examples regardless, as there is some useful discussion of considerations when analyzing RROSH.
For assistance with breach management contact PRIVATECH, or visit our Privacy Breach Response Toolkit. The Toolkit provides a template breach response procedure that addresses the PIPEDA Breach of Security Safeguards Regulation and conducting a RROSH analysis, as well as a breach notification flowchart, and other resources.