New Mandatory Data Breach Regulations
The Canadian government has finally published regulations relating to mandatory privacy breach notification under the federal Personal Information Protection and Electronic Documents Act (PIPEDA). The new requirements will come into force on November 1, 2018.
In June of 2015, the federal government passed the Digital Privacy Act, which amended various provisions of PIPEDA. The Digital Privacy Act also included new requirements relating to “breaches of security safeguards”, including notification of data breaches as well as reporting and record keeping obligations. The “in-force” date of the data breach provisions was delayed while the government drafted applicable regulations and engaged in public consultation.
On March 26, 2018, the federal government quietly issued an Order in Council confirming the new mandatory breach requirements under PIPEDA would come into force on November 1, 2018.
On April 18, 2018, the final version of the regulations were published. A copy of the final regulations can be found here.
Impact on Organizations
These new requirements constitute a significant change to the regulatory landscape. Mandatory breach reporting has a significant potential impact on business operations. Organizations subject to PIPEDA will have to ensure they are ready to comply prior to November 1, 2018.
The Regulatory Impact Statement that accompanies the Regulation does not have the force of law but provides helpful commentary:
PIPEDA applies to the collection, use or disclosure of personal information by every organization in the course of a commercial activity.
The federal government may exempt from PIPEDA organizations and/or activities in provinces that have adopted substantially similar privacy legislation. Quebec, British Columbia and Alberta have adopted private sector legislation deemed substantially similar to PIPEDA. Ontario, New Brunswick, Newfoundland and Labrador, and Nova Scotia have adopted substantially similar legislation with respect to personal health information.
However, even in those provinces that have adopted legislation that is substantially similar to the federal privacy legislation, PIPEDA continues to apply to certain activities by companies operating in British Columbia. Generally speaking, these are:
- all interprovincial and international transactions by all organizations subject to the Act; and
- to federally regulated organizations in the course of their commercial activities.
Effective November 1, 2018, organizations subject to PIPEDA will be required to notify the Commissioner, affected individuals, and potentially other organizations of breaches where it is reasonable to believe that the breach creates a “real risk of significant harm to the individual”.
“Significant harm” is very broadly defined and includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on a credit record, and damage to or loss of property.
Report to the Commissioner
Where there is a “real risk of significant harm to the individual”, organizations must issue a report to the Commissioner containing the information prescribed in the new Regulation including, among other requirements: a description of the circumstances of the breach and, if known, the cause; a description of the steps the organization has taken to reduce or mitigate the risk of harm to affected individuals; and a description of the steps the organization has taken or will take to notify individuals of the breach.
Notice to the Individual
The Regulation sets out minimum requirements for the notice to affected individuals including, among other requirements: a description of the circumstances of the breach and a description of the steps the organization has taken to reduce the risk of harm arising from the breach. Notice must be provided directly to the individual except in the circumstances set out in the Regulation.
Affected organizations will be required to give notice “as soon as feasible” after it is determined the breach occurred.
Notice to Other Organizations and Government Institutions
Organizations may also be required to notify other organizations or government institutions if notice would reduce or mitigate the risk of harm to the individual.
Organizations that suffer a data breach as defined in the legislation are required to maintain records for 24 months of all breaches after they occur (even if they do not include a risk of significant harm) and to provide the records to the Commissioner on request.
Next Steps for Employers
- Organizations subject to PIPEDA should review their existing privacy policies and procedures to ensure they will be compliant.
- Organizations should ensure they have a robust breach response plan in place before November 1, 2018.
- Organizations should train employees on data breach risks and reporting requirements under the new legislative requirements.