Canada Breach Notification Goes into Effect
November 7, 2018
Records and Information Management (RIM) service providers should note that data breach notification requirements went into effect across Canada on November 1. The requirement is a result of language in the Digital Privacy Act of 2015 (Bill S-4) amending the country’s Personal Information Protection and Electronic Document Act (PIPEDA). The amendment also expands the enforcement powers of the Canadian Privacy Commissioner.
“Data breach notification requirements are among the most significant drivers of increased data security,” said PRISM International’s Gail Bisbee. “It provides a great opportunity for members to demonstrate the importance of professional information management services.”
“Clients are often unaware of new data protection requirements,” said i-SIGMA CEO Bob Johnson. “Providing them information on it is not only a responsibility as a data protection professional, but it is also great for business.”
According to Johnson, it is unknown whether weaker provincial breach notification will survive the new national law. “The new national law is stronger than the breach notification in Alberta, and the limited health breach notification in Ontario. Because the federal supersedes weaker provincial requirements, we assume they will go away or, more likely, be improved. Most provinces had no breach notification prior to November 1, and so there is no question regarding its jurisdiction.”
Under the law, service providers are required to notify the data controller in the event of any incident potentially exposing Personally Identifiable Information (PII). This requirement should be included in all policies and procedures and employee training. The discovery of an unreported breach often leads to severe fines. Contract language should also be changed to reflect this requirement.
From the Office of the Privacy Commissioner of Canada1:
What You Need to Know About Mandatory Reporting of Breaches of Security Safeguards
Under the new regulations for organizations subject to the Personal Information Protection and Electronic Documents Act organizations must:
- Report to the Privacy Commissioner’s office any breach of security safeguards involving personal information where it creates a “real risk of significant harm;”
- Notify individuals affected by a breach of security safeguards where there is a real risk of significant harm;
- Keep records of all breaches of security safeguards that affect the personal information under their control; and
- Keep those records for two years.
There could be financial penalties for non-compliance from the Attorney General of Canada.
Who is Responsible for Reporting the Breach?
“Questions about the issue of control may arise in particular where an organization (the “principal organization”) has transferred personal information to a third party for processing and a breach occurs while the personal information is with the processor.
In this regard, we note that PIPEDA’s accountability principle provides that an organization remains responsible for the personal information it has transferred to a third party for processing. In addition, we have heard from many stakeholders that requiring both the principal organization and the processor to report the breach would be largely inconsistent with existing business practices and raise various operational concerns.
Therefore in this context, we find it reasonable to interpret the principal organization as having control of the personal information and therefore responsibility for breach reporting in respect of a breach that occurs with the third party processor.
In so doing, the principal organization will need to ensure there are sufficient contractual arrangements in place with the processor to address compliance with the breach provisions set out in PIPEDA. The same would be true for notification and record-keeping obligations.
That said, business relationships can be very complex and determining who has personal information “under its control” needs to be assessed on a case-by-case basis. This assessment can be informed by relevant contractual arrangements and commercial realities between organizations. Evolving business models and shifting roles may also impact the assessment. For instance, if an organization that is a processor uses or discloses the same personal information for other purposes, it is no longer simply processing the personal information on behalf of another organization and is thereby acting as an organization “in control” of the information.”
What Should Records Contain?
“Records must contain any information that enables the OPC to verify compliance with breach of security safeguards reporting and notification requirements in sections 10.1(1) and (3) of PIPEDA, including requirements to assess real risk of significant harm.
As a starting point, we would expect at minimum a record to include:
- date or estimated date of the breach;
- general description of the circumstances of the breach;
- nature of the information involved in the breach; and
- whether or not the breach was reported to the Privacy Commissioner of Canada/individuals were notified.
The record should also contain sufficient details for the OPC to assess whether an organization has correctly applied the real risk of significant harm standard and otherwise met its obligations to report and notify in respect of breaches that pose a real risk of significant harm. This could include a brief explanation of why the organization determined there was not a real risk of significant harm in cases where the organization did not report the breach to the Privacy Commissioner and notify individuals.”
1 What you need to know about mandatory reporting of breaches of security safeguards | Office of the Privacy Commissioner of Canada | https://www.priv.gc.ca/en/privacy-topics/privacy-breaches/respond-to-a-privacy-breach-at-your-business/gd_pb_201810/