Answer ... A breach includes the loss of, unauthorised access to or unauthorised disclosure of personal information resulting from the failure to put into place the physical, organisational and technical measures and security safeguards are referred to in Clause 4.7 of Schedule 1 of PIPEDA.
Organisations must keep a record of every breach of security safeguard involving personal information and must provide access to or copies to the OPC when requested. These records must be sufficient for the OPC to determine whether the organisation is fulfilling its breach obligations and must be kept for two years following the date on which the organisation became aware of the breach (Sections 6.1 and 6.2 of the Breach of Security Safeguards Regulations (SOR/2018-64)).
As set out in Section 2(1) of the Breach of Security Safeguards Regulations, the report should contain the following:
(a) a description of the circumstances of the breach and, if known, the cause;
(b) the day on which, or the period during which, the breach occurred or, if neither is known, the approximate period;
(c) a description of the personal information that is the subject of the breach to the extent that the information is known;
(d) the number of individuals affected by the breach or, if unknown, the approximate number;
(e) a description of the steps that the organization has taken to reduce the risk of harm to affected individuals that could result from the breach or to mitigate that harm;
(f) a description of the steps that the organization has taken or intends to take to notify affected individuals of the breach in accordance with subsection 10.1(3) of the Act; and
(g) the name and contact information of a person who can answer, on behalf of the organization, the Commissioner’s questions about the breach.
If the organisation needs to notify the affected parties, the notification as per Section 3 of the Breach of Security Safeguards Regulations should include:
(a) a description of the circumstances of the breach;
(b) the day on which, or period during which, the breach occurred or, if neither is known, the approximate period;
(c) a description of the personal information that is the subject of the breach to the extent that the information is known;
(d) a description of the steps that the organization has taken to reduce the risk of harm that could result from the breach;
(e) a description of the steps that affected individuals could take to reduce the risk of harm that could result from the breach or to mitigate that harm; and
(f) contact information that the affected individual can use to obtain further information about the breach.
This notification can be in person, by phone, mail, email or any other form of communication that a reasonable person would consider appropriate in the circumstances (Section 4 of the Breach of Security Safeguards Regulations).
Whether a breach of security safeguards affects one person or thousands, it will still need to be reported if the organisation determines that there is a real risk of significant harm resulting from the breach.
In addition, PIPEDA requires organisations to notify other organisations, including government organisations, if they can reduce the risk of harm resulting from the breach.
The notification timeline is “as soon as feasible” after the breach is discovered.
Alberta’s Personal Information Protection Act also has similar mandatory breach notification requirements, and both Alberta and British Columbia have issued helpful guidelines for breach scenarios under their respective Personal Information Protection Acts. Quebec is anticipated to follow with similar mandatory notifications to maintain its ‘substantially similar’ designation with respect to PIPEDA. The Quebec privacy commission has also recently been more active in issuing guidelines.
Ontario’s Personal Health Information Protection Act (PHIPA) also has specific breach notification requirements. In addition to notice to the affected individual (Section 12(2)), Section 12(3) requires mandatory notice to the Information and Privacy Commissioner of Ontario where there is a theft, loss, unauthorised use or disclosure of personal health information in seven circumstances set out in Section 6.3(1) of O Reg 329/04. In the event of a breach under the PHIPA, individuals must be notified at the first reasonable opportunity and be provided with a statement informing them that they are entitled to make a complaint to the IPC. There are also specific requirements for health information custodians to notify a healthcare practitioner’s regulatory college within 30 days in any of the following situations (Responding to a Health Privacy Breach: Guidelines for the Health Sector, IPC, October 2018):
- The practitioner was an employee or agent of the custodian and was terminated, suspended or subject to disciplinary action as a result of a breach;
- The practitioner’s privileges or affiliation has been revoked, suspended or restricted as a result of a breach;
- The practitioner resigns and the custodian has reason to believe that the resignation is related to an investigation or other action carried out as a result of an alleged breach; or
- The practitioner relinquishes or voluntarily restricts his or her privileges or affiliation and the custodian has reasonable grounds to believe that it is related to an investigation or other action carried out as a result of an alleged breach.