The Who, What, When, Where & Why of PIPEDA’s Mandatory Security Breach Reporting

privacy breach

Privacy breach – these two words are enough to scare most employers. And it should not be surprising, given the recent wave of headlines about data breaches and the implications for employers. You can read some of the news articles here, here, and here, but there are countless more.

Individuals value their personal information probably more than ever, and privacy breaches are treated seriously today (as they should be).

As of November 1, 2018, employers subject to The Personal Information Protection and Electronic Documents Act (PIPEDA or the Act) will be required to:

  • report to the Privacy Commissioner of Canada breaches of security safeguards involving personal information that pose a real risk of significant harm to individuals
  • notify affected individuals about those breaches, and
  • keep records of all breaches.

This blog post will provide the who, what, when, where and why of these obligations.

The Who

PIPEDA applies to federal works, undertakings or businesses (FWUBs), which includes “any work, undertaking or business that is under the legislative authority of Parliament”. For instance, insurance companies and credit unions may be subject to some federal regulation, but are considered to be within provincial jurisdiction and are not considered federal works under the Act. However, this is not an exhaustive list, and the fact that a company is federally incorporated does not always mean that it is a federal work, undertaking or business. If a company is subject to any part of the Canada Labour Code, it may be a federal work, undertaking or business.

FWUBs, including both large and small businesses, will be subject to PIPEDA requirements to report and notify security breaches that pose a real risk of significant harm, and to keep records of all breaches. Notably, most provincial employers are not governed by PIPEDA.

Employers are required to report a breach involving personal information under its control, but the term control is not defined in the Act. Where the principal organization has transferred personal information to a third party for processing and a breach occurs while the personal information is with the processor, questions about the issue of control may arise. PIPEDA’s accountability principle provides that an organization remains responsible for the personal information it has transferred to a third party for processing. The principal organization should ensure there are written contracts with the processor to address compliance with PIPEDA’s breach provisions.

Similarly, employers are required to keep and maintain a record of every breach of security safeguards involving personal information under its control.

The What

Definitions

The PIPEDA defines a breach of security safeguards as:

the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards that are referred to in clause 4.7 of Schedule 1 of PIPEDA, or from a failure to establish those safeguards.

Significant harm includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.

In assessing a “real risk of significant harm”, relevant factors include the sensitivity of the personal information involved in the breach of security safeguards and the probability of misuse.

Penalty

It is an offence to knowingly contravene PIPEDA’s reporting, notification and record-keeping requirements relating to breaches of security safeguards. Employers could be subjected to fines of up to $100,000.

Reporting Obligations

In submitting a breach report to the Office of the Privacy Commissioner (OPC), employers should follow the specific guidance on what to include in a report and how to file reports.

Record-Keeping Obligations

PIPEDA requires employers to keep records of all breaches of security safeguards of personal information under their control, whether or not there is a real risk of significant harm. In other words, there must be a record of every breach of security safeguards. The records must be kept for two years unless other legal requirements require the employer to keep them for longer.

Records must contain any information that enables the OPC to verify compliance with breach of PIPEDA’s reporting and notification requirements, including requirements to assess real risk of significant harm. At minimum, a record is expected to include:

  • date or estimated date of the breach;
  • general description of the circumstances of the breach;
  • nature of information involved in the breach; and
  • whether or not the breach was reported to the OPC or individuals were notified.

Notification Obligations

Employers are required to notify an individual of any security breach involving the individual’s personal information under the employer’s control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual. The notification must be given as soon as feasible after the employer has determined that a breach of security safeguards involving a real risk of significant harm has occurred. The notification must be conspicuous and must be given directly to the individual, unless indirect notification is permitted under the regulations.

Employers notifying individuals of a security breach involving a real risk of significant harm must also notify any government institutions or organizations that the employer believes can reduce the risk of harm that could result from the breach or mitigate the harm.

The When

As noted above, PIPEDA’s mandatory security breach requirements came into effect on November 1, 2018.

The Where

Employers can use the PIPEDA breach report form to report a security breach.

Employers can also report any new information that they become aware of after a report has already been sent.

The Why

The purpose of PIPEDA is to facilitate growth in the digital economy by ensuring that Canadians have trust and confidence in how organizations handle their personal information. The Act employs a principles-based approach that balances the privacy rights of individuals with the legitimate needs of businesses to use or exchange information.

As explained in the final Regulatory Impact Analysis Statement (RIAS), mandatory data breach notification under PIPEDA provides an increased level of protection for Canadians and other consumers in the Canadian marketplace by allowing them to take steps to protect themselves from potential harm resulting from that breach. Moreover, this will harmonize Canada’s regime for data breach reporting with those of other jurisdictions, reducing the burden of reporting for organizations operating in multiple jurisdictions. In particular, Canada’s regime will continue to be aligned with the EU’s GDPR, which is important to Canada-EU trade.

Conclusion

Given the new rules, employers would be well-advised to ensure they have written policies and procedures in place to adequately handle privacy breaches. Employers should develop a framework for assessing the real risk of significant harm to ensure that all breaches are assessed consistently. As a part of this assessment, employers should consider both sensitivity of personal information as well as the probability of misuse.

Employers can read and use the following resources for training purposes:

Nadia Zaman

I am an associate at Rudner Law. I am thrilled to be a part of the employment bar and have been elected to the executive committee of the Ontario Bar Association’s Labour and Employment Law Section, where I serve the interests of the profession and the public.