On September 2, 2017, the Ministry of Innovation, Science and Economic Development Canada (ISED) published draft Breach of Security Safeguards Regulations. The draft Regulations will be open for comment for 30 days. If the Regulations are not further amended by ISED, they may be registered and republished. ISED has stated that there will be a delay between finalizing the Regulations and their coming into force to permit organizations time to implement any necessary organizational changes.
ISED has drafted Regulations that hew close to similar regulations under Alberta's Personal Information Protection Act. Far from being unsettling, this sense of déjà vu will be welcome for organizations concerned about coping with divergent requirements.
However, there are still some important differences to note:
1. Reporting to the regulator can focus on the cause of the breach rather than speculate about the harm
The content of the report to the Office of the Privacy Commissioner of Canada (OPC) tracks fairly close to the content required under Alberta's law. Perhaps as a matter of clarification more than a substantive difference, the federal Regulations specify that the report should include the "cause" of the breach if known. However, one significant difference is that organizations are not required to engage in speculation about the potential harm to individuals. This will be highly appreciated by organizations who have had to deal with Alberta's law.
2. Organizations must make it easy on individuals to get information or to complain
The content of the notices to individuals of a breach are also similar to those in Alberta. However, ISED has included some consumer-friendly requirements. First, individuals should have a toll-free number to contact someone who can answer questions on behalf of the organization (or an email address). Second, individuals must be informed about the organization's internal complaint process. Finally, individuals must be advised of their right to complain to the OPC about the breach.
3. There is flexibility with respect to the manner of reporting
The federal Regulations specifically provide that notices to individuals can be provided:
- by email or other secure forms of communication (to which the individual has consented)
- by letter
- by telephone
- in person
Moreover, organizations can opt for indirect notification (without having to pre-clear this with the OPC) if direct notification would cause harm to the individual, the cost of direct notification would be prohibitive to the organization, or the organization does not have current contact information. Indirect notification can be made by conspicuous posting of the notice on the organization's website for 90 days (or more) or by means of an advertisement that is likely to reach the affected individuals.
4. Record-keeping is much less onerous than feared
One difference between the Alberta law and the federal Personal Information Protection and Electronic Documents Act (PIPEDA), is that PIPEDA requires an organization to maintain a record of every breach of security safeguards even if that breach does not result in a real risk of significant harm to an individual.
The ISED has heard the concerns raised by organizations about this provision. Organizations only need to maintain records for 2 years. The form and content of the records are up to the organization provided that they contain enough information to allow the OPC to assess whether the organization was making any required reports to the OPC and required notifications to affected individuals. Since a report to the OPC containing the prescribed elements would be sufficient as a record, this appears to mean that the type of information that must be kept does not include a written assessment of the risk of harm.
Read the draft Regulations here.
Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com
For more information, visit our Privacy and Cybersecurity blog at www.privacyandcybersecuritylaw.com
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances. Specific Questions relating to this article should be addressed directly to the author.