Privacy Breach Reporting Requirements – Tools Available to Organizations
During the last few years, organizations have used the media to disclose – often considerably after the fact – security breaches that may have compromised the personal information of their clients, due to flaws in their mobile apps, website or internal IT system. However, such public disclosure will soon no longer be sufficient under the upcoming new Canadian legislative framework.
On November 1st, 2018, new provisions of Canada’s Personal Information and Electronic Documents Act (PIPEDA) will come into force. Private-sector organizations subject to this statute will then be required to report breaches of security safeguards involving personal information that pose a real risk of significant harm to individuals, such as reputational damage, financial loss, identity theft, etc.
In anticipation of the coming into force of the new provisions of this federal legislation, the Office of the Privacy Commissioner of Canada (the “OPC”) has issued a guidance document to help organizations comply with their new statutory obligations. The document stresses that PIPEDA and its new provisions apply to all organizations subject thereto, regardless of their size, and that any organization that does not comply with the obligations set out therein is guilty of an offence and liable to be fined.
In this document, the OPC also provides answers to several questions that organizations may have, including the following:
- What is a “breach of security safeguards”?
- What is a “real risk of significant harm”?
- How many individuals must be affected by the breach in order for it to be reported?
- Who is responsible for reporting the breach?
- How quickly after the breach must it be reported?
- What must be included in: (i) the records of all breaches that the organization must keep; (ii) the notification to individuals affected by the breach, and (iii) the breach report form that must be sent to the OPC in the event of a breach?
On this last point, the OPC has included at the end of the guidance document a PIPEDA breach report form that organizations can fill out and send in by email, mail or in person – a useful tool to keep handy!
The guidance document and the breach report form are available on the website of the OPC. For more information on the new provisions of PIPEDA and the regulations thereunder, including breach reporting and notification particulars, please see our previous article entitled “Data Breach Notification Obligations Coming into Force”.