Canadians have long been anticipating the implementation of federal privacy breach reporting requirements. Originally passed on June 18, 2015, Bill S-4 - the Digital Privacy Act, included amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA). Most of the amendments are already in force with the exception of those pertaining to privacy breach reporting. As of November 1, 2018, organizations hit by a privacy breach (that meets certain conditions) will be required to notify affected individuals and the Office of the Privacy Commissioner.
According to the Act, organizations must report any breach where there is a "real risk of significant harm to the individual." The term "significant harm" is defined as "bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on (one’s) credit record and damage to or loss of property."
Notifying the Commissioner
Notice to the Commissioner must be in the form of a written report that includes:
- the circumstances and cause (if known) of the breach
- the day (or time period) the breach occurred
- the personal information that was exposed
- an estimate of the number of individuals affected
- the steps the organization has taken to minimize the risk to affected individuals
- the steps the organization has taken (or will take) to notify affected individuals
- the name and contact information of the representative of the organization who will respond to inquiries on the breach
Notifying Affected Individuals
Notice to affected individuals must be delivered by email, letter, telephone or in person except in cases where the direct notification could cause further harm to affected individuals or undue hardship to the organization, or where current contact information for affected individuals is unavailable. Under these circumstances, the organization is permitted to provide indirect notification through public announcements or advertising. The notice must include:
- the circumstances of the breach
- the day (or time period) the breach occurred
- the personal information that was exposed
- the steps that the organization has taken to minimize the risk to affected individuals
- the steps that affected individuals can take to minimize the risk for themselves
- contact information that affected individuals can use for further information about the breach
- the organization’s internal complaint process and rights of affected individuals to file complaints with the Commissioner
In circumstances where notifying other organizations or government institutions could help minimize the risks to affected individuals of a breach, the organization is required to do so as well.
Record-Keeping
For any privacy breach that occurs, regardless of whether or not notice is required, organizations must maintain records for 24 months from the date the breach is discovered. The Commissioner can request access to the breach records at any time to determine if the organization is complying with PIPEDA. Organizations will want to include as much evidence as possible of their compliance to avoid penalties.
Penalties for Violations
Violations of the privacy breach reporting requirements could lead to fines of up to $100,000 for each violation.
Leading up to the November 1 enforcement date, it is important for all organizations to:
- conduct a thorough review of existing cybersecurity measures
- enhance safeguards where necessary to protect personal information
- implement formal, written policies and procedures for identifying and responding to breaches
For further details about the regulations, see the Government of Canada's release on the Breach of Security Safeguards Regulations.