Increasingly we hear news stories about data security breaches. Whether through the theft or loss of a laptop computer or hackers finding a way to access an organization’s records, it seems that our data can be vulnerable to attack. The issue becomes particularly acute when the compromised data include sensitive personal information such as credit card numbers, social insurance numbers, or financial details because thieves can use this data to hijack a person’s identity and commit identity theft.

If personal information held by your organization is stolen or otherwise compromised, what are the organization’s legal obligations? Surprisingly, under Canada’s federal privacy law applicable to the private sector, the Personal Information Protection and Electronic Documents Act ("PIPEDA"), there is no specific requirement to notify anyone about the data breach. PIPEDA contains only general requirements that organizations be accountable for personal information under their care or control, that they employ appropriate safeguards to protect the information and that they be open and transparent about their information handling practices.

Parliament has recently conducted a statutory review of PIPEDA, and the Standing Committee on Access to Information, Privacy and Ethics issued its report in May 2007. Two of its recommendations were that:

  1. PIPEDA be amended to include a breach notification provision requiring organizations to report certain defined breaches of their personal information holdings to the Privacy Commissioner; and

  2. Upon being notified of a breach of an organization’s personal information holdings, the Privacy Commissioner shall make a determination as to whether or not affected individuals and others should be notified and if so, in what manner.

Time will tell to what extent Parliament enacts these recommendations. However, in the interim, the Federal Privacy Commissioner recently issued voluntary guidelines for data security breach notifications as well as a data breach checklist. The guidelines and checklist may be found in the media centre of the website for the Office of the Privacy Commissioner of Canada.

The guidelines refer to four key steps that organizations should take in the event of a data security breach. They are:

  • Breach containment and preliminary assessment;
  • Evaluation of the risk associated with the breach;
  • Notification; and
  • Prevention.

These steps represent a common sense approach similar to that which organizations might typically follow in response to any extraordinary adverse event such as a product recall.

As is the case with most aspects of PIPEDA, responsibility for decision-making about notification is left in the hands of the organization. In assessing the risk, the Privacy Commissioner recommends that organizations look to the types of compromised data elements, the sensitivity of the personal information at risk, the context of the compromised information, the accessibility of the information (i.e., if encrypted, it may not be easily accessible, even if stolen) and the possible uses of the compromised information. If information is not particularly sensitive, accessible, or useful in the hands of third parties, it may be that notification is not necessary.

In terms of notification, the guidelines provide advice about the contents of a possible notification, as well as information about when and how to notify, who should notify and who should receive the notification. While not required under PIPEDA, the guidelines do encourage organizations to report material privacy breaches to the appropriate provincial privacy commissioners and/or the Federal Privacy Commissioner. The rationale for this reporting is that the applicable privacy commissioners can assist in fielding enquiries from the public, providing advice on how to handle the privacy breach and possibly enhancing the public’s understanding of the incident and its confidence in the organization’s response to it.

Dealing with a privacy breach is a difficult matter for any organization. While at present the law is clear that there is no statutory requirement in Canada for notification, in many circumstances the public expects it. Although the Privacy Commissioner’s new guidelines do not have the force of law, they are highly persuasive and organizations might be in a difficult position by not following them should a subsequent complaint be brought in respect of the breach. However, there can also be valid reasons to not notify.

Therefore, if a privacy breach occurs or is suspected, it is important to mobilize an internal team as soon as possible to manage the process. Legal advice in the early stages can help the organization to determine the most appropriate and cost-effective notification process, in addition to managing communications with the Privacy Commissioner’s offices.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.