Canadian Privacy Breach Notification Rules Will Change November 1, 2018

Canadian Privacy Breach Notification Rules on November 1 2018

The Government of Canada has announced on March 26, 2018 that Canadian privacy breach notification rules will change November 1, 2018.

The announcement made in regards to the Personal Information Protection and Electronic Documents Act (PIPEDA) will come into force on November 1, 2018.

These changes to PIPEDA will require domestic and foreign organizations to comply with the following:

  1. Notify individuals about privacy breaches
  2. Report privacy breaches to the Office of the Privacy Commissioner of Canada
  3. Keep certain records of privacy breaches.
Canadian Privacy Breach Notification Rules on November 1 2018

Canadian Privacy Breach Notification Rules on November 1 2018

The provisions that will be coming into force are a combination of statutory provisions in PIPEDA and a set of regulations which address matters such as the content of notices and breach record keeping.  The new Canadian privacy breach notification rules will have a far reach as it touches all industries with compliance and legal risk.

This is an extremely important subject to all organizations and needs to be addressed if you operate in Canada.  It is imperative that all domestic and foreign organizations subject to Personal Information Protection and Electronic Documents Act (PIPEDA) will need to take steps necessary to ensure that they have assessed and addressed how they will comply with the new rules and regulations regarding all data breaches.

Below we will get into more detail regarding mandatory reporting of breaches of security safeguards.

*** 365 iT SOLUTIONS advises that users of this website seek specific legal advice by contacting their legal representation regarding any specific legal issues. ***

What will I learn about the Canadian privacy breach notification rules in this article?

This article will help organizations determine the following as aspects of the Canadian privacy breach notification rules:

  1. What security safeguard breaches must be reported to the Office of the Privacy Commissioner of Canada (OPC).
  2. What kind of notification you will need to give individuals by law.
  3. What obligation you must keep records of breaches including what information needs to be included.

Additional material include access to PIPEDA and the Breach of Security Safeguard Regulations.

What is a breach of security safeguards?

According to PIPEDA, a breach of security safeguards is defined as: the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards that are referred to in clause 4.7 of Schedule 1 of PIPEDA, or from a failure to establish those safeguards.

Does this apply to all organizations including small businesses?

The new Canadian privacy breach notification rules will apply to large, medium, and small businesses.  Everyone will be subject to PIPEDA requirements. This will include to mandatory reporting and notification of breaches regarding security safeguards that pose a real risk of significant harm.  All organizations are expected to keep records of all breaches of security safeguards.

Are there financial penalties for cyber security breaches?

PIPEDA makes it an offence to knowingly avoid reporting, notification, and record-keeping requirements in relation to security breaches of safeguards.  This can lead to fines based on an individual basis.

The Office of the Privacy Commissioner of Canada (OPC) does not prosecute offences under PIPEDA or issue fines. What they can do is refer information relating to the possible commission of an offence to the Attorney General of Canada, who would be responsible for any ultimate prosecution of the organization regarding the data breach.

For additional information and more details, you can Personal Information Protection and Electronic Documents Act.

Are there other materials I can read the changes to the Canadian Privacy breach changes?

The Office of the Privacy Commissioner of Canada (OPC) offers much more materials that you can read and use for training within your organization.

This includes the following information:

  1. Tips for containing and reducing the risks of a privacy breach
  2. Securing personal information: A self-assessment tool for organizations
  3. Getting Accountability Right with a Privacy Management Program

Do I need to report all cyber security breaches to the OPC?

No. The Canadian law requires that you report any breach of security safeguards involving personal information. This information must be under your control if it is reasonable in the circumstances to believe that the breach of security safeguards creates a real risk of significant harm to an individual.

Very important, it does not matter if the breach of security safeguards affects one person or a 1,000, it will still need to be reported if your assessment indicates there is a real risk of significant harm resulting from the cyber security breach.

Who is responsible for reporting the cyber security breach?

The Personal Information Protection and Electronic Documents Act requires an organization to report a cyber security breach involving personal information under its control. Your obligation to report the breach rests with an organization in control of the personal information implicated in the cyber security breach.

The Act does not define the term “control” and it is used in several provisions and contexts, which can lead to some ambiguity as to its meaning in the court of law.

Principal organizations need to ensure there are enough contractual arrangements in place with the processor of information to address compliance with the data breach set out in PIPEDA. This would include notification and record-keeping obligations as part of the Act.

Business relationships are complex and there is no clear-cut black and white solution. There is lots of gray area and this cam make things very complex when trying to determine who has personal information “under its control” resulting in every situation to be addressed on a case-by-case basis.  Control of the information is important, and it can change depending on how the information is handled.  Evolving business models and shifting roles may also impact an assessment of a cyber security breach.

What is real risk of significant harm (RROSH)?

Significant harm is defined as bodily harm, humiliation, damage to reputation, damage to relationships, loss of employment, business opportunities, professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.

There are many factors that are relevant to determining whether a breach of security safeguards creates a real risk of significant harm.  This does include the sensitivity of the personal information involved in the breach of security safeguards.  This also includes the probability the personal information has been, is, and will be misused.

You can find additional information to on how to assess your cyber security breach and what needs to be reported.

More details available: Assessing real risk of significant harm

Canadian Privacy Breach Notification Rules on November 1 2018 (2)

Canadian Privacy Breach Notification Rules on November 1 2018 (2)

What form do I have to use to report a cyber security data breach?

Yes. Organizations have to use the PIPEDA breach report form. Organizations are encouraged to use the PIPEDA breach report form when reporting a data breach.  Organizations can report in a format they see fit provided that the submission captures all the necessary information and they follow instructions on how to send in a report are included in the form.

For additional information of a potential breach report, organizations can also contact The Privacy Commissioner of Canada at 819-994-5444 or toll-free at 1-800-282-1376.

Can I add new information to a report already sent?

Reports can always be updated when you become aware of any new information regarding the data breach.

Who must keep records of data breaches?

The law and Act require that an organization keep and maintain a record of every breach of security safeguards involving personal information under its control. The obligation to keep records rests with the organization in control of the personal information implicated in the data breach.

What records do I have to keep?

PIPEDA requires organization to keep and maintain a record of every breach involving personal information under their control whether there is a real cyber security risk of significant harm or not.

Simple rule, there must be a record of every cyber breach according to the Canadian privacy breach changes.

What should a cyber security breach record contain?

According to The Office of the Privacy Commissioner of Canada (OPC), cyber security breach records must contain all information that enables them to verify compliance with breach reporting and notification requirements including requirements to assess real risk of harm as per sections 10.1(1) and (3) of PIPEDA.

As a base starting point to creating a record of the event, you should use the following as a minimum to include:

  1. The date (or estimated) of the cyber security breach
  2. A description of the circumstances regarding the cyber security breach
  3. The nature of information involved in the cyber security breach
  4. If the breach was reported to the Privacy Commissioner of Canada as well as if individuals were notified

This must include enough details regarding the cyber security breach so the The Office of the Privacy Commissioner of Canada (OPC) can assess whether an organization has correctly applied the risk of significant harm standard.

If the organizations feel there is no real risk, they would have to provide an explanation of why they determined there is no real risk in the case as to why the organization did not report the breach to the Privacy Commissioner as well as notify individuals.

Do records have to include personal information about people?

You do not need to include personal information about the people involved in the breach. Your records should describe the nature as well as the type of information involved in the cyber security breach. You should only disclose personal details if it is needed to explain the nature and sensitivity of the information.

How long do I have to keep records?

According to the Canadian privacy breach notification rules, you will be required to keep all cyber security breach records for a period of two years. Based on your organizations and industry, you may have other legal requirements that may require you to keep them for longer.

You experienced a cyber security breach, when and how to notify individuals affected?

According to the Canadian privacy breach notification rules, an organization must notify an individual of any cyber security breach involving the individual’s personal information that is under the organization’s control.  If there is reasonable information to believe that the breach creates a real risk of harm, the organization is responsible to notify individuals of the breach.

When do I notify individuals about the cyber security breach?

Basically as soon as possible unless prohibited by law. If you determine that a breach has occurred, and it poses a real risk of significant harm to the individual, you must notify the individuals that are affected. The notification of the breach of personal information must be given directly to the individual. You do not have to give direct information and you can use indirect notification if permitted.

What do you have to include in cyber security breach notifications to individuals?

The notification must be clear and provide enough information to allow the affected individuals to understand the significance of the cyber security breach as well as steps to reduce the risk of harm resulting from the breach.

The notification to individuals must include the following information as mentioned in the regulations:

  1. A brief description of the circumstances of the cyber security breach
  2. The specific or estimated date on which the breach occurred
  3. A detailed description of the personal information that was leaked in the cyber security breach
  4. A description of the steps that the organization has taken to reduce the risk of harm resulting from the breach
  5. Steps that should be taken by the affected individuals to reduce the risk of harm
  6. Full contact information for the affected individuals to use to obtain further information about the breach

What is direct notification according to Canadian privacy breach notification rules?

Direct notification is when you notify an individual directly in person, telephone, mail, email, or any other form of communication that a reasonable person would consider appropriate in the circumstances.  If using email or mail, it is strongly suggested to create a point of confirmation to verify information was received.

When can I indirectly notify individuals according to Canadian privacy breach notification rules?

This is rare and very limited however there are times that you can indirectly notify people. This includes the following:

  1. If direct notification would cause further harm to the affected individual of the cyber breach
  2. If direct notification would cause undue hardship for the organization of the cyber security breach
  3. If the organization does not have contact information for the affected individual of the cyber security breach

What are examples of indirect notification that can be used in a Canadian privacy breach notification?

Indirect notification must be given using a public communication that could reasonably be expected to reach the affected individuals of the cyber security breach.  This may include public announcements, advertisements including online or offline news media channels.

These methods should likely reach the affected individuals of the cyber security breach. For example, a mention in on the company website blog only may not reach the individuals such as a dedicated public announcement therefore the organization would have not met their legal obligation according to Canadian privacy breach notification.

What does notification to organizations mean?

An organization that notifies an individual of a cyber security breach involving a real risk of harm must also notify any government institutions or organizations that it believes can reduce the risk of harm.

What are some examples of notification to organizations?

This may vary depending on the organization, industry, breach and circumstance however it could include:

  1. Notifying law enforcement when there is a cyber-attack on your computer infrastructure or computer systems. Law enforcement may be able to reduce the risk of harm that could result from the cyber security breach.
  2. Notifying any organization that processes your payments if you believe the organization may be able to reduce the risk of harm that could result from the cyber security breach.

How do you recover from a cyber security breach?

If your organization believes you have been the victim of a cyber security breach or incident, please feel free to contact the following resources to manage your cyber security breach.

It is extremely important that you take time to record all details regarding a cyber security breach.

How do assess real risk of significant harm according to Canadian privacy breach notification rules?

All organizations should develop a policy and procedure regarding the real risk of significant harm in a cyber security breach to ensure all breaches are assessed consistently.

Evaluating the real risk of significant harm may include the following:

  1. The nature and sensitivity of the personal information involved in the cyber security breach
  2. The risk and probability that the personal information has been, is being, or will be, misused.

As a part of your assessment of “real risk of significant harm”, your organization should consider the following:

  1. Sensitivity: PIPEDA does not define sensitivity. It does however describe the concept of sensitivity of personal information. It states the following:Although some information (for example, medical records and income records) is almost always considered to be sensitive, any information can be sensitive, depending on the context. For example, the names and addresses of subscribers to a news magazine would generally not be considered sensitive information. However, the names and addresses of subscribers to some special-interest magazines might be considered sensitive.
  2. Probability of Misuse: This is a more robust process and there are many questions to address including the following:
  • What happened and how likely is it that someone would be harmed by the cyber security breach?
  • Who accessed or could have accessed the personal information?
  • How long has the personal information been exposed?
  • Is there evidence of malicious intent?
  • How many pieces of personal information were breached therefore raising the risk of misuse?
  • Is the information known to be exposed to entities who are likely to attempt to cause harm with it?
  • Has harm materialized due to the cyber security breach?
  • Was the information lost, inappropriately accessed, and/or stolen?
  • Has the personal information been recovered?
  • Is the personal information adequately encrypted, anonymized or otherwise not easily accessible?

In conclusion, the Canadian privacy breach notification rules will change November 1, 2018 however you can protect your organization and reputation.

If your organization is concerned with data security, we can help your organization reduce the cyber security risk and avoid the Canadian privacy breach notifications rules by protecting your data.

Our complimentary network and security assessment can put your IT infrastructure and business to the test.

365 iT SOLUTIONS is Toronto’s leading IT consulting boutique firm offering industry leading IT solutions including Managed IT ServicesIT Support ServicesIT Outsourcing ServicesTech Support Services and Cloud Services.

Disclaimer: The content on this web site is provided for general information purposes only and does not constitute legal or other professional advice or an opinion of any kind. 365 iT SOLUTIONS does not warrant or guarantee the quality, accuracy or completeness of any information on this web site. The articles published on this web site are current as of their original date of publication, but should not be relied upon as accurate, timely or fit for any purpose. 365 iT SOLUTIONS advises that users of this website seek specific legal advice by contacting their legal representation regarding any specific legal issues.

Ready to get started? Call us now Click Here