Digital Privacy Act Update

PIPEDA Mandatory Notification for Federally Regulated Organizations

Particular sections of the Digital Privacy Act that amend the Personal Information Protection and Electronic Documents Act (“PIPEDA”) will come into force on November 1st, 2018.  Organizations which are subject to PIPEDA will be required to report to the Federal Privacy Commissioner where any breach of a security safeguard arises involving personal information.  The amendments under division 1.1 require that a report to the Privacy Commissioner be done where there is a “real risk of significant harm to an individual”.

In order to determine whether there is a “real risk of significant harm” the legislature has provided three guiding factors:

  • the sensitivity of the personal information involved in the breach;
  • the probability that the personal information has been, is being or will be misused; and
  • any other prescribed factor.

Significant harm is defined in the legislation as including, bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.

In addition to reporting to the Privacy Commissioner, if an organization determines that a “real risk of significant harm” exists due to a breach, the organization will also be required to notify the individual who has had their information compromised. The notification from the organization to the individual will require that sufficient information be provided to allow the individual to understand the significance of the breach and to provide them, where possible, with steps to reduce the risk.

In addition to the above, the notification to the affected individual requires the following:

  • a description of the circumstances of the breach;
  • the day on which, or period during which, the breach occurred;
  • a description of the personal information that is the subject of the breach;
  • a description of the steps that the organization has taken to reduce the risk of harm to the affected individual resulting from the breach or to mitigate that harm;
  • a description of the steps that the affected individual could take to reduce the risk of harm resulting from the breach or to mitigate that harm;
  • a toll-free number or email address that the affected individual can use to obtain further information about the breach; and
  • information about the organization’s internal complaint process and about the affected individual’s right, under the Act, to file a complaint with the Commissioner.

An interesting part of the legislation is that it does not necessarily prescribe a specific time requirement for notice to be provided.  Instead, the timing requirement says “as soon as feasible after the organization determines that the breach has occurred”. This necessarily opens the door for a variety of court interpretations for timing of notification required. The word feasible is defined as, to do easily or conveniently.  As a result, an organization could argue that a significant delay was caused because of a lack of resources, for example. As the legislation is new, until a court interpretation is given, organizations should err on the side of caution to provide information as soon as possible in the circumstances.

There is also a requirement under the legislation that the organization subject to the breach, notify any other organization or government institution if they believe that notification would help reduce the risk of harm or mitigate that harm.

The amendments will also require that an organization maintain a record of every breach that occurs. The record will be required to be kept for a period of 24 months after the day on which the organization determines the breach has occurred.

Organizations need to understand that failure to follow the legislation can potentially be very costly and fines can be up to $100,000.00. The new penalty sections will penalize organizations who do not follow reporting requirements under subsections 8(8), section 10.1 or subsections 10.3(1) and 27.1(1).

We will keep you up to date of any further case law that occurs and interpretation of the legislation.