The Office of the Privacy Commissioner of Canada (the “OPC”) is seeking public comment on its new guidance (the “Guidance”) intended to assist organizations with mandatory reporting of personal data breaches, which will take effect in Canada on November 1, 2018. Subject to the Personal Information Protection and Electronic Documents Act (the “PIPEDA“) and the Breach of Security Safeguard Regulations, organizations (both big and small) will be required to:
- Report to the OPC personal data breaches that pose a real risk of significant harm to individuals
- Notify affected individuals about those breaches
- Notify other organizations about the breaches (if applicable)
- Keep records of all breaches
The new OPC Guidance provides an overview of what the organizations need to know about these obligations. We have put together the key take-aways:
Who has to report the data breaches?
The new breach-related obligations apply to every organization, regardless of its size, that is subject to PIPEDA and that experiences a breach involving personal information ‘under its control’. This also covers situations when an organization transfers data to a third party vendor. As a result, there may be multiple organizations in control of the personal information affected by a breach. In the Guidance, OPC made it clear that they expect all organizations aware of the breach within the vendor chain to report the breach. This means that for example both the ‘controller’ organization and its vendor (who experienced the breach) must report to the OPC.
Which data breaches to report?
PIPEDA requires the organizations to report every ‘breach of security safeguards’ involving personal information under their control if it is reasonable to believe the breach creates a ‘real risk of significant harm.’
breach – the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards (PIPEDA Part 1, Clause 2(1))
security safeguards – protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use or modification. They can include physical, organizational or technological measures. (referred to in PIPEDA Schedule 1, clause 4.7)
real risk of significant harm – is based on the organization’s assessment per each individual breach instance. Organizations should have a framework for breach risk assessment that takes into account the sensitivity of the personal information involved in the breach and the probability the personal information has been/is/will be misused.
How & when to notify the breach?
As part of the Guidance, the OPC includes a template form for notifying the breaches of personal information. Organizations must report a breach as soon as feasible after the breach, even if not all information (e.g. the cause, or planned mitigation measures) is known or confirmed. The form includes questions on breach description and details of any breach mitigation steps the organizations have already taken to reduce the risk of harm to the affected individuals. The completed breach notification form can be submitted via e-mail, by post or in person.
Don’t forget to notify the individuals
The Guidance reminds that it is not just the OPC that should be notified, but that also in case of a real risk of significant harm to individuals, they must be made aware of the breach as soon as possible along with any other relevant organizations, such as law enforcement agencies or e.g. financial institutions in cases of payment data breach.
The Guidance also sets out the minimum requirements for the content of the breach information the organizations give to the individuals. In terms of the communication channels, typically the individuals should be contacted directly. In cases when this is not feasible or is potentially harmful for the individuals, organizations can use public announcements instead.
Keep records of your breaches
Even though organizations would likely prefer for their data breaches to be forgotten, PIPEDA requires them to keep records of all personal data breaches under their control – regardless of the risk level or whether they were reported. Every breach must be recorded and must be kept for minimum two years. While breach records should describe the type of information involved, they typically shouldn’t include the personal information itself.
The OPC Guidance sets out a minimum content for the breach record:
- Date or estimated date of the breach;
- General description of the circumstances of the breach;
- Nature of information involved in the breach;
- Whether or not the breach was reported to the Privacy Commissioner of Canada/individuals were notified; and
- If the breach was not reported to the Privacy Commissioner/individuals, a brief explanation of why the breach was determined not to pose a “real risk of significant harm.”
The OPC is accepting public comment on the Guidance, including on the proposed breach reporting form. The deadline for interested parties to submit comments is October 2, 2018.
How OneTrust Helps
It’s clear that incident and breach management is continuing to be an important factor for privacy programs across the globe. OneTrust’s Incident and Breach Management solution can help you maintain incident and breach records, evaluate against notification requirements and analyze overall risk with connections to the underlying data inventory. OneTrust’s Privacy Team provides research built into the software that covers many jurisdictions to ensure customers have the most up-to-date information to make smart decisions quickly.
Want to learn more? Visit OneTrust at SecTor this week in Canada and meet with OneTrust’s Director of Privacy, Andrew Clearwater! He’ll be speaking on Wednesday, Oct. 3 at 1:25pm in room 718B on ISO 27001 & The GDPR: Identifying Overlap and Streamlining Efforts.