On March 26, 2018, the Government of Canada passed an Order in Council fixing November 1, 2018, as the date on which section 10 of the Digital Privacy Act ("the DPA")1 comes into force.2 This section creates a new division in the Personal Information Protection and Electronic Documents Act ("PIPEDA")3 that will require private commercial enterprises4 to report certain breaches of security safeguards.
PIPEDA was enacted in 2000 to establish rules regarding "the collection, use and disclosure of personal information in a manner that recognizes [individuals' privacy rights] and the need of organizations to collect, use or disclose personal information[...]" in the course of commercial activities.5 In other words, the legislation acts as a nationwide baseline for privacy protection in commerce where the provinces have chosen not to enact their own legislation.
To recognize the evolution of technology and e-commerce since the PIPEDA was enacted, the Government of Canada passed the DPA in 2015.6 The DPA responds to some of the challenges that go hand-in-hand with technological growth, including an increased number of electronic data breaches. Since personal information is often stored in electronic format, the DPA represents a significant strengthening of privacy rights already existing within PIPEDA.
Reporting Requirements Under the PIPEDA
Under new section 10.1 of the PIPEDA, organizations will soon be required to report "any breach of security safeguards involving personal information under its control."7 The controlling factor is that a report must be made "if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual."8
"Significant harm" includes "bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on [credit records] and [property loss or damage]."9 Factors relevant to "significant harm" include "the sensitivity of the personal information involved in the breach" and "the probability that the personal information has been, is being or will be misused."10
The language imported into PIPEDA is clearly designed to mirror that already in use in certain provinces, such as in Alberta's Personal Information Protection Act,11 which has had mandatory breach reporting since 2010. The standard consistently returns to an objectively "real risk" of "significant harm". As stated by Commissioner Frank Work from the Alberta Information and Privacy Commissioner's office in GICdirect.com Financial Services Ltd:
13 In order for me to require GIC to notify the affected individuals, however, there must also be a "real risk" of significant harm to the employee as a result of the incident. This standard does not require that significant harm will certainly result from the incident, but the likelihood that it will result must be more than mere speculation or conjecture. Further, there must be a cause and effect relationship between the incident and the possible harm.12
With respect to timing, reports must be made "as soon as feasible" to the Privacy Commissioner and certain prescribed information must be included.13 Any affected individuals must also be notified of a security breach related to their personal information "as soon as feasible" unless the law prohibits such disclosure.14
In addition to certain prescribed information, the notice must include "sufficient information to allow the individual to understand the significance to them of the breach" and information on steps that could reduce risk or mitigate harm to them arising from the breach.15 Organizations must also contact other organizations or government institutions that can assist in reducing such harm or mitigating such risk to individuals.16
Organizations will also be required to keep a record of all security breaches involving personal information under their control. This record must be accessible by the Privacy Commissioner on request.17
Conclusion
As "organizations" under the PIPEDA, insurers and brokers should review their privacy policies and security safeguards before the new reporting requirements come into effect. These policies and safeguards should be modified to reflect the responsibilities that will be imported on organizations and to ensure compliance with the PIPEDA. Some aspects of the requirements, including the content of notices, have not been fully dealt with in the regulations.18 In this regard, all commercial enterprises, from insurers to retailers, need to be prepared for this changing landscape.
Footnotes
1 SC 2015 c 32.
2 PC 2018-0369.
3 SC 2000, c 5.
4 The new reporting requirements import responsibilities on "organizations", which under section 2(1) of PIPEDA includes "an association, a partnership, a person and a trade union".
5 Supra note 3, s 3.
6 Cyber Scout, "Digital Privacy Act Changes are coming. Are You Prepared?" (12 December 2017), Canadian Underwriter
7Supra note 3, s 10.1(1).
8 Ibid.
9 Ibid, s 10.1(7).
10 Ibid, s 10.1(8).
11 SA 2003, c. P-6.5. PIPA is the provincial equivalent of PIPEDA which takes its place as it is substantially similar s. 26(2)(b) of PIPEDA.
12 2011 CarswellAlta 2756.
13 Supra note 3, s 10.1(1) and (2).
14 Ibid, s 10.1(3) and (6). The breach may not be disclosed if an ongoing criminal investigation related to the breach prohibited disclosure.
15 Ibid, s 10.1(4).
16 Ibid, s 10.2(1).
17 Ibid, s 10.3(1)-(2).
18 Michael Geist, "Coming Soon (or at least by November): Government Sets a Date for Data Breach Disclosure Rules to Take Effect" (4 April 2018), Michael Geist (blog)
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
