On March 26, 2018, the Government of Canada quietly announced that, on November 1, 2018, important changes to the Personal Information Protection and Electronic Documents Act (PIPEDA) will come into force. This has not met with the fanfare of the EU’s GDPR (General Data Privacy Regulation) but is of significant note for those business in Canada and like with GDPR businesses that operate in Canada or keep information about Canadian citizens. PIPEDA has been around since April of the year 2000 and these are just significant updates. Which could be one reason why this has not been widely publicized. Let’s look at what the changes are.
Section 10.1 of PIPEDA will require organizations to notify individuals and report to the Commissioner, all breaches where it is reasonable to believe that the breach creates a “real risk of significant harm to the individual”. PIPEDA defines “significant harm” as including, among other harms, humiliation, damage to reputation or relationships and identity theft. A “real risk” requires consideration of the sensitivity of the information, the probability of misuse, and any other prescribed factor. Note that the requirement is to just inform the commissioner of breaches that create risk… however we will see later any and all breaches are impacted by the record keeping requirement.
Notice to individuals, and the report to the Commissioner, must be given in the prescribed form “as soon as feasible” after it is determined that a breach occurred. The notice must contain sufficient information to allow the individual to understand the significance to them of the breach, and steps to take, to reduce the risk of harm. The notice must be conspicuous and given directly to the individual, except in certain circumstances where indirect notice, such as posting to a website, may be permitted. These cases would be situations where contact information for some effected individuals is not available.
Section 10.3 of PIPEDA will require organizations to keep and maintain a record of every breach involving personal information under their control. Upon request, organizations must provide the Commissioner with the records. The Commissioner may publish information from the records if it would be in the public interest. The Commissioner may also launch an investigation or audit based on the information in the breach file. It does not matter if the breach was deemed reportable or not all breaches must have a breach file, whether reported or not a record of all breaches must be kept. Nor is there any standard before an organization would be required to provide its ‘breach file’ to the Commissioner. Organizations will be required to keep breach records for at least two years, which is the limitation period for bringing a civil action in most Canadian provinces.
Pursuant to the regulation, a report to the Commissioner must be made in writing and contain the following information:
- The circumstances of the breach and, if known, the cause;
- The date or period during which the breach occurred;
- The personal information that is the subject of the breach;
- An estimate of the number of individuals at a real risk of significant harm;
- The steps that the organization has taken to reduce risk or mitigate harm to individuals;
- The steps that the organization has taken or intends to take to notify affected individuals; and
- The name and contact information of a person who can answer, on behalf of the organization, the Commissioner’s questions about the breach.