The Canadian federal government released the proposed Breach
of Security Safeguards Regulations under Personal
Information Protection and Electronic Documents Act (PIPEDA)
on September 2, 2017.
Not yet in force, these Regulations set out the:
content, form and manner of a report to the Commissioner of a
breach under PIPEDA;
content of notification to affected individuals;
manner of direct notification;
circumstances permitting indirect notification;
manner of indirect notification; and
record-keeping requirements.
Introduction
PIPEDA currently defines "breach of security
safeguards" as a loss or unauthorized access or disclosure of
personal information that results from either the breach of an
organization's security safeguards, or an organization's
failure to establish these safeguards.
PIPEDA and the proposed Regulations will require that
organizations report to both the Commissioner and the individual in
question where it is reasonable in the circumstances to believe
that the breach creates a "real risk of significant harm"
to an individual. PIPEDA sets out the factors relevant to
consider in determining whether there is a "real risk of
significant harm", and what constitutes "significant
harm" as including the sensitivity of the personal information
involved in the breach, the probability that the personal
information has been, is being, or will be misused, and other
factors identified by regulation. PIPEDA also provides that the
notification shall be given as soon as feasible after the
organization determines that the breach has occurred.
Organizations must also notify other organizations and
governmental institutions if such organizations or institutions may
be able to mitigate harm.
These and other obligations are backed up by compliance and
enforcement measures, including the Commissioner's ability to
enter into "compliance agreements" with organizations,
and to apply to the Court for an order directing an organization to
comply.
Content, Form, and Manner of a Report
The proposed Regulations state that any report to the
Commissioner must contain:
a description of the circumstances and cause of the
breach;
the date or period of the breach;
a description of the personal information that is the subject
of the breach;
an estimate of how many people are exposed to a "real risk
of significant harm";
a description of what the organization has done to reduce and
mitigate harm;
a description of what the organization has or intends to do to
notify each affected individual; and
contact information of a person who can answer the
Commissioner's questions about the breach.
Content and Manner of a Notification
Similarly, the proposed Regulations will require that the
notification to an affected individual contain:
a description of the circumstances of the breach;
the date or period of the breach;
a description of the personal information that is the subject
of the breach;
a description of what the organization has done to reduce and
mitigate harm;
a description of what the affected individual could do to
reduce and mitigate harm;
a toll-free number or email address that the affected
individual can use to obtain further information about the breach;
and
information about the organization's internal complaint
process and about the affected individual's right, under
PIPEDA, to file a complaint with the Commissioner.
The proposed Regulations also provide, among other things,
details regarding the manner in which organizations can directly
notify affected individuals, and when organizations can rely on
indirect notification.
Record-Keeping Requirements
Finally, organizations will, if the Regulations come into force,
be required to maintain a record of every breach of security
safeguards for 24 months after the day on which the organization
determines that the breach has occurred.
The federal government will be collecting feedback on the draft
Regulations until October 2, 2017. The final Regulations are
expected to come into effect after the government has considered
such feedback. In the interim, the draft Regulations give some
much-awaited clarity with respect to the breach notification
requirements contemplated by the federal government under
PIPEDA.
