On November 1, 2018 new mandatory privacy breach reporting requirements will come into effect for all organizations governed by the Personal Information and Electronic Documents Act (“PIPEDA”). In preparation, the Office of the Privacy Commissioner of Canada (“OPC”) has released a document providing guidance on mandatory breach reporting. This guidance is currently in draft form and open for consultation from stakeholders until October 2, 2018, following which a final version of the documents will be published.
When to Report a Breach
The mandatory breach reporting requirements will only require organizations to report breaches that create a “real risk of significant harm” to an individual. If there is a real risk of significant harm, it does not matter how many individuals are impacted by the breach, it will still need to be reported.
What is a Real Risk of Significant Harm?
The OPC defines “significant harm” as including “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.”
In order to determine whether a real risk of significant harm exists, an assessment must be done based on the sensitivity of the personal information involved in the breach, and the probability that the personal information has been or will be misused.
Assessing whether personal information is sensitive requires consideration of the context. Some information, such as medical or financial records, will always be considered sensitive, while other information, such as name and address, may only be considered sensitive in certain circumstances. For this reason, assessing sensitivity requires an examination of:
- the personal information that is the subject of the breach;
- the circumstances surrounding the breach; and
- the potential harms to the affected individual.
Probability of Misuse
The OPC has created a list of questions to consider in determining the probability that personal information will be misused. Some of these questions are:
- What happened and how likely is it that an individual will be harmed by the breach?
- Who accessed or could have accessed the information?
- Is there evidence of malicious intent?
- Were multiple pieces of personal information breached?
- Has harm materialized?
- Has the personal information been recovered?
- Is the personal information encrypted or anonymized?
A key factor in determining the probability of misuse is who the personal information was exposed to. Where an individual or entity represents a risk to the individual in and of itself, or where the information was disclosed to a large number of individuals, or to unknown individuals or entities, the probability of misuse is greater than where there is accidental disclosure to individuals or entities with a low likelihood of sharing the information.
How to Report a Breach
The OPC has also released a PIPEDA breach form for private sector organizations to report breaches. It can be found on the OPC website and requires a description of the breach, which includes:
- the number of individuals affected by the breach;
- when the breach occurred;
- the type of breach;
- a description of the circumstances;
- a description of the relevant safeguards in place when the breach occurred;
- a description of the personal information that was the subject of the breach; and
- a description of the steps taken by the organization to reduce the risk of harm or mitigate the harm.
Record Keeping Requirements
Regardless of whether there is a real risk of significant harm, organizations are required to keep records of all breaches of personal information within their control. These records must contain information that allows the OPC to verify compliance, including:
- date or estimated date of the breach;
- general description of the circumstances;
- nature of the information involved;
- whether or not the breach was reported to the OPC and whether individuals were notified; and
- if the breach was not reported, why the breach was determined not to pose a real risk of significant harm.
These records must be kept for at least two years following the date of the breach.
Notifying Affected Individuals
Where a breach poses a real risk of significant harm, any affected individuals must be notified as soon as feasible once the risk has been determined. The notification must be direct (in person, by telephone, mail, or e-mail) and must contain:
- a description of the circumstances;
- the day (or period) when the breach occurred;
- a description of the personal information that was breached;
- a description of the steps taken to reduce the harm resulting from the breach;
- a description of the steps the individual could take to reduce the harm resulting from the breach; and
- contact information that the individual can use to obtain further information (i.e. the organization’s Chief Privacy Officer or his/her designate).
If notification is likely to cause further harm to the affected individual, undue hardship to the organization, or the organization does not have the necessary contact information for the individual, indirect notification can be given by way of public communication (i.e. public announcement).
When notifying affected individuals, organizations are also required to notify any government institutions or organizations that may reduce the risk of harm or mitigate the harm. Some examples might include law enforcement, banks, or payment processors.
In Our View
Organizations that are subject to PIPEDA should take the time to familiarize themselves with these new breach reporting requirements and review their privacy policies for compliance. To mitigate the risk of breaches, organizations should also ensure that adequate security safeguards are in place for the protection of personal information and that all employees are properly trained in how to safely collect and handle personal information.
For further information please contact Porter Heffernan at 613-940-2764.