On April 18, 2018, the Government of Canada published the final regulations relating to mandatory reporting of privacy breaches under Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”). To date, most organizations under PIPEDA’s purview have not been subject to mandatory privacy breach notification requirements. While organizations in the United States are familiar with breach notification statutes, organizations both within and outside of Canada will need to pay careful attention to the new requirements imposed under PIPEDA and assess any changes that need to be made to ensure compliance when the final regulations go into effect on November 1, 2018.

Application to Organizations

Within Canada, PIPEDA applies to:

  • All private sector organizations that collect, use, or disclose personal information in the course of their commercial activities (PIPEDA does not apply to organizations that operate entirely in Alberta, British Columbia, or Quebec);
  • Personal information about an employee of, or an applicant for employment with, the organization and the organization collects, uses, or discloses that personal information in connection with the operation of federal works, undertakings, and businesses; and
  • All personal information that flows across provincial or national borders in the course of commercial transactions involving organizations subject to PIPEDA or similar legislation.

Outside of Canada, PIPEDA applies to foreign organizations with a real and substantial link to Canada that collect, use, or disclose the personal information of Canadians in the course of their commercial activities.

Important Definitions

To understand the requirements imposed under PIPEDA, organizations will need to understand the terms of the statute that trigger notification. For those organizations familiar with breach notification statutes, PIPEDA’s definition of “breach” will look familiar. PIPEDA defines a “breach of security safeguards” as the “loss of, unauthorized access to, or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguard or from a failure to establish those safeguards.”

On the other hand, PIPEDA’s definition of “personal information” is extremely broad. “Personal information” is defined as any “information about an identifiable individual.” This definition of “personal information” encompasses any factual or subjective information, recorded or not, about an individual, including, but not limited to, name, age, ethnic origin, religion, Social Insurance Number, email address, health information, financial information, biometric information, employee files, credit reports, and education history.

Notification Requirements

An organization must notify individuals of any breach of the security of safeguards involving their personal information if it is reasonable to believe that the breach creates a “real risk of significant harm.” Concurrently, the organization must also report to the Privacy Commissioner of Canada.

Prior to notification, organizations will have the opportunity to engage in a risk of harm analysis to determine whether the circumstances of the breach actually pose a real risk of significant harm to individuals. If not, notification is not required. To assist organizations in this determination, PIPEDA defines “significant harm” to include bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record, and damage to or loss of property.

PIPEDA will also require organizations to notify additional government institutions if the organization believes that the organization may be able to reduce or mitigate the risk of harm to the affected individuals by issuing the notification.

Timing of Notifications

Notification to impacted individuals and the Privacy Commissioner should occur as soon as feasible after the organization determines a breach has occurred.

Content of Report to Commissioner

The report to the Privacy Commissioner must be sent by any secure means of communications and contain the following:

  • Description of the circumstances of the breach and the cause, if known;
  • The day or the period during which the breach occurred, or the approximate period;
  • A description of the personal information subject to the breach, if known;
  • The number of individuals or approximate number of individuals affected;
  • A description of the steps taken by the organization to reduce or mitigate the risk of harm to affected individuals;
  • A description of the steps that the organization has taken or intends to take to notify affected individuals in accordance with PIPEDA; and
  • The name and contact information of a person who can answer the Commissioner’s questions on behalf of the organization.

Content of Notice to Individuals

Notification to individuals must occur in person, by telephone, mail, email, or any other form of communication that a reasonable person would consider appropriate and include:

  • Description of the circumstances of the breach;
  • The day or the period during which the breach occurred, or the approximate period;
  • A description of the personal information subject to the breach, if known;
  • A description of the steps taken by the organization to reduce or mitigate the risk of harm from the breach;
  • A description of steps individuals can take to reduce the risk of harm that could result from the breach; and
  • Contact information that the individual can use to obtain further information about the breach

Record Keeping Requirements

Most notably, PIPEDA will now require organizations to keep and maintain a record of every breach of security safeguards for twenty-four (24) months. What constitutes a record is subject to interpretation, however, the record must contain any information that enables the Privacy Commissioner to verify compliance with PIPEDA. On request, an organization must be prepared to provide the Privacy Commissioner with access to, or a copy of, a record.

Conclusion

Organizations should carefully review, revise, and implement new privacy policies and procedures prior to November 1, 2018 to ensure compliance with the mandatory breach notification and record-keeping requirements imposed by PIPEDA.