Canada’s New Data Breach Notification Rules: What you need to know

On November 1, 2018 the Government of Canada implemented significant changes to the Personal Information Protection and Electronic Documents Act (PIPEDA). Much like the new regulations released by European Union General Data Protection Regulation (“GDPR”) in early 2018, the government is putting the power back in the hands of the individuals whose personal data is being collected and stored. Non-compliance of PIPEDA can result in fines of up to $100,000 per violation. If your organization has not already done so, it is time to consider your obligations and create a plan to comply. 

GDPR and PIPEDA 

With the new regulations released by European Union General Data Protection Regulation (“GDPR”), the Government sought to harmonize the Canadian rules with the new GDPR data breach notification rules. Although PIPEDA has long held adequate personal information privacy protection, the Government took additional measures as it is considered this important for Canada-EU trade.  

Mandatory record-keeping for all breaches 

Much like the GDPR rules, Section 10.3 of PIPEDA requires organizations to keep and maintain a record of every breach involving personal information under their control. Organizations are also required to provide a report to the Commissioner with the requested records within a timely manner. Based on the report provided, the Commissioner may publish the information if it is in public interest and/or launch an investigation or audit based on the information in the breach file.  

The record-keeping requirement is an important compliance consideration and has the potential to create costs and risks for organizations. For example, there may be additional litigation claims in relation to breaches (including breaches that did not result in notifications to individuals), if the organization does not fully comply or report breaches.   

Record-keeping Requirements  

Organizations must maintain a record of every breach of security safeguards for a minimum of 24 months after the day the organization determines that the breach has occurred. The record keeping requirement is applicable to all breaches, not only those that give rise to a real risk of significant harm.  

In section 6.2 breach records must contain “any information that enables the Commissioner to verify compliance with [the breach notification and reporting provisions]” – meaning the Commissioner must be able to validate whether the organization notified and reported breaches as required by PIPEDA in each case. The regulation does not give organizations specific rules on how the records are archived but they must be able to provide the appropriate information on request.  

Data Breach Reports  

PIPEDA’s data breach obligation requires organizations to assess a number of factors in determining whether any breach of security safeguards have been compromised. It’s up to the organizations to consider the sensitivity of the information involved, the probability that the information will be misused and the potential for “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on a credit record and damage to or loss of property” when assessing risks. 

Data Breach Reports to the Commissioner 

If the Commissioner has requested a report, the regulation lays out what your organizations needs to provide to comply. The report must be made in writing and sent by any secure means of communication. The requirements are as follows:  

  • The circumstances of the breach and the cause. 

  • The date or period of time when the breach occurred. If the time is not known, the approximate period must be provided.  
  • The compromised personal information and extent of the breach.  
  • The number of individuals affected by the breach. If the number is unknown, the approximate number must be provided.  
  • Clearly laid out steps that the organization has taken to reduce risk or mitigate harm to individuals that could result from the breach. 
  • What steps the organization has taken to notify affected individuals? 

  • The name and contact information of a person in the organizations who will answer the Commissioner’s questions about the breach.   

Data Breach Reports to the Individual  

In section 3 and section 5 of the regulation, organizations must notify the individual who has had their personal data compromised. Unlike the GDPR, PIPEDA provides a lot of flexibility for organizations to decide based on the type of breach to indirectly or direct notify the individual.  

Indirect Notifications   

Indirect notification must be given “by public communication or similar measure that could reasonably be expected to reach the affected individuals.” In section 5, the regulation provides guidance on when should organizations utilize the indirect notification:  

  • Giving of direct notification would be likely to cause further harm to the affected individual. 
  • Direct notification would be likely to cause undue hardship for the organization. 
  • The organization does not have contact information for the affected individual. 

Direct Notifications   

Section 3 details that the notifications to individuals include sufficient information to allow the individuals to understand the significance to them of the breach, and to take steps, if possible, to reduce the risk of harm. PIPEDA requires the same requirements of the Commissioner’s report be provided to the individual. 

The components of a PIPEDA Compliance strategy:         
 

  • Ensure record-keeping for all breaches are archived for up to 24 months  
  • Create a cybersecurity strategy for the storage of sensitive data 
  • Managing the development of an Emergency Response Plan 
  • Ensure legal compliance is up to date with GDPR and PIPEDA 

  • Identify and assign a data privacy controller in your organization  
  • Request third-party service providers access to the breach file  
  • A privacy toolkit is available here for organizations to live up to its PIPEDA responsibilities.  

Storagepipe can help!  

With the implementation of GDPR and the PIPEDA changes to personal data – organizations must take control of how they obtain and protect personal data. With Storagepipe, we ensure your data is secure so you can get back to business. If you need help with keeping your data safe or creating a PIPEDA compliance strategy – contact us today.