Last September, we advised that Innovation, Science and Economic Development Canada (“Canada’s Department of Industry”) had released proposed security breach notification regulations under Canada’s federal private sector privacy law – the Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5, as amended) (“PIPEDA”) (the “Proposed Regulations”).
While the Government of Canada has not provided a public update on the status of the Proposed Regulations, the Governor General in Council (i.e. cabinet) issued an Order in Council on March 26th (the “Order in Council”) which sets November 1, 2018 as the date upon which the security breach notification requirements under the Digital Privacy Act (S.C. 2015, c. 32, as amended) (the “Digital Privacy Act”) will come into force.
In addition, on March 26th the Governor General in Council issued a second Order in Council that said: “Her Excellency the Governor General in Council, on the recommendation of the Minister of Industry, pursuant to subsection 26(1) of the Personal Information Protection and Electronic Documents Act, makes the annexed Breach of Security Safeguards Regulations.” The regulations have not been included on the Government of Canada’s website that contains the Orders in Council. It is anticipated that the final regulations will be published later this month in the Canada Gazette (the “Final Regulations“).
In 2015, the Canadian government enacted the Digital Privacy Act to address, in part, the concern that PIPEDA did not contain security breach notification requirements.
While the form and content of security breach notices remains to be formally established by regulation, in our view, sufficient information is presently known, through the Digital Privacy Act and the Proposed Regulations, about what the security breach notification framework will look like in Canada.
With this information, organizations can begin to put into place strategies, policies, protocols and procedures so compliance with the new security breach notification requirements (the “New Requirements”) can be achieved starting on November 1, 2018.
Organizations will be required to report to the Office of the Privacy Commissioner of Canada (the “Commissioner“) any “breach of security safeguards involving personal information under its control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual.” (the “Reports to the Commissioner“)
A “breach of security safeguards” has been defined as “the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards that are referred to in clause 4.7 of Schedule 1 [to PIPEDA] or from a failure to establish those safeguards.“
“Significant harm” has been defined to include “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.“
In determining whether a breach of security safeguards creates a real risk of significant harm to an individual, the following factors must be considered: (a) the sensitivity of the personal information involved in the breach; (b) the probability that the personal information has been, is being or will be misused; and (c) any other prescribed factors. It remains to be seen whether the Final Regulations will prescribe any other factors.
Reports to the Commissioner must be made as soon as feasible after an organization determines that a breach of security safeguards has occurred. Reports to the Commissioner must be in writing and they must contain certain information that will be prescribed in the Final Regulations.
Organizations are also required to notify individuals of any breach of security safeguards involving their personal information under the organization’s control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individuals, unless an organization is otherwise prohibited by law from doing so.
Notifications to individuals must contain sufficient information to allow individuals to understand the significance to them of the breach of security safeguards and to take steps, if any are possible, to reduce the risk of harm that could result from it or to mitigate that harm. The Final Regulations will require that the notifications contain certain prescribed information.
Notifications must be conspicuous, must be given as soon as feasible after an organization determines that a breach has occurred, and must be given directly to individuals in a prescribed form and manner. The Final Regulations will require that direct notification must be given to affected individuals in a prescribed manner. Under certain situations, notification to individuals can be given indirectly.
Organizations are required to keep and maintain a record of every breach of security safeguards involving personal information under its control (collectively, “Records“), and are required to provide the Commissioner with access to, and a copy of, the Records.
The Final Regulations will set out for how long the records must be maintained, and will set out any other obligations organizations must comply with in respect of creating and maintaining the Records.
Once the Final Regulations are published in the Canada Gazette, organizations can update their compliance program to include any requirements that were not originally included in the Proposed Regulations.
In addition, pursuant to the Order in Council, as of November 1, 2018:
1. Individuals will be able to file, with the Commissioner, written complaints against organizations for not complying with the New Requirements;
2. the Federal Court of Canada will be able to order organizations to correct their practices in order to comply with the New Requirements;
3. the Commissioner is mandated, under PIPEDA, to encourage organizations to develop detailed policies and practices, including organizational codes of practice, to comply with the New Requirements;
4. Whistleblowing protections come into force in respect of the New Requirements; and
5. Failing to report to the Commissioner certain types of security breaches, or to maintain appropriate records of certain types of security breaches, will become punishable offences under PIPEDA.