by: Paul K. Grower
The Personal Information Protection and Electronic Documents Act’s (PIPEDA) new Breach Notification Rules will come into force on November 1, 2018. This article provides a brief synopsis of what these rules entail, but it should not be construed as legal advice. Members of the Winnipeg Chamber of Commerce are encouraged to speak with legal counsel to better understand how the Rules will affect their business.
In order for the Rules to apply, there must be a loss of, unauthorized access to or unauthorized disclosure of personal information that is under the control of a member (in other words, a “breach”).
It is important to note that responsibility for the reports/notifications outlined below will lie with the member if the member controls the personal information. However, if a breach occurs at, for example, an arm’s length storage facility hired by the member to store personal information, it will be BOTH the member’s responsibility and the storage facility’s responsibility to comply with the Rules.
The Rules outline that if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual, the member (and if applicable, any other third party) is then obligated, as soon as it is feasible to do so, to:
In the report filed with the Privacy Commissioner of Canada, the member must (to the extent that the member knows):
It is expected that this report will be updated as information is further gathered/determined.
In the notification provided to the individual, the member must (to the extent that the member knows):
The goal of the notification to the individual is to provide sufficient information to allow the individual to understand the significance to them of the breach, such that they can take steps, if any are possible, to reduce the risk of harm.
Also, it is expected that the individuals affected will be directly contacted by the member (phone, email, mail, etc.), subject to exceptions of harm to the individual and/or hardship to the member and/or lack of contact information. If any of the exceptions apply, indirect notification—via public communications (e.g. media, website, etc.)—will need to be utilized.
The legislation specifies that “significant harm” includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record, and damage to or loss of property.
In determining whether there is a “real risk” of such harm, the sensitivity of the information and the probability that it will be misused need to be considered.
It is important to note that if a breach occurs—and it is determined by the member that it does NOT create a real risk of significant harm to an individual—the member must still maintain a record of the breach for at least two (2) years thereafter. The purpose for retaining these records is to allow the Privacy Commissioner to verify a member’s compliance with the Rules. Therefore, if a breach is not reported to the Privacy Commissioner, the information that would have been provided to the Privacy Commissioner, if it had been reported, must be maintained.
Most importantly, these Rules provide for fines of up to $100,000 if an organization knowingly violates their obligations.