PIPEDA breach notification & recording starts Nov 1 – are you ready?

Starting Nov 1 2018 PIPEDA requires businesses to notify the Privacy Commissioner and affected individuals of any privacy breach that poses “a real risk of significant harm”.

It also requires businesses to keep a record of all breaches of security safeguards that involve personal information, even if there is no risk of harm. It must include details of why a breach does not pass the reporting threshold.

So simply dealing with a potentially harmful privacy breach when and if it happens is not sufficient compliance.

The Commissioner can ask to see that breach record at any time. Failure to comply with the recording and notification requirements can result in a penalty of up to $100,000.

From a practical perspective, it means that there must be awareness by staff about what a breach of security safeguards is, and who to tell about it. It can’t be based only on complaints.

The Privacy Commissioner has published guidance on this. I’ve written about it before.

This chart is an overview of the process. Be sure to follow the detailed definitions and requirements in PIPEDA.

Cross-posted to Slaw

Are you ready for PIPEDA’s privacy breach recording obligation?

In a recent blog post I talked about the new privacy breach notification requirements coming under PIPEDA this November 1. I said that perhaps the most challenging aspect is a requirement to maintain a “record of every breach of security safeguards involving personal information under its control.”

Why is that so challenging?

Many large companies already have this kind of procedure in place. But most business do not. Maintaining a record sounds easy. But this is not so simple when you think it through. First, the business must create a procedure and educate its staff to recognize breaches and report them to its privacy officer, even if they are not significant. No longer can the business rely on staff recognizing a breach because it is serious and obvious, or someone complains.

Then for each one the privacy officer must go through the analysis required under PIPEDA to determine if there is a “real risk of significant harm” that triggers a reporting requirement. The rationale for that decision must be recorded.

Why does it matter?

The Privacy Commissioner has the right to inspect any business’s breach record at any time. If a business does not report a breach when it is supposed to, or if they don’t keep a breach record, they can be subject to a fine of up to $100,000.

What you need to do about it.

Before November 1, every business subject to PIPEDA should put a breach recording procedure in place, educate their staff what a breach is, and how to report it to the privacy officer.

Cross-posted to Slaw

PIPEDA privacy breach notification coming Nov 1

Effective Nov 1, 2018, businesses that have a privacy breach must give notice of the breach under PIPEDA – the privacy legislation affecting the private sector in most Canadian provinces. The final regulations containing the details are about to be published.

Here are the highlights.

When do I have to report?

If there is a privacy breach that “creates a real risk of significant harm to an individual”. That includes bodily harm, humiliation, damage to reputation, financial loss, identity theft. Risk factors to decide the reporting threshold are provided.  The report must be made “as soon as feasible after the organization determines that the breach has occurred.”

What do I have to report?

Circumstances of the breach, when it happened, what information was breached, steps taken to reduce the risk of harm, steps individuals can take to reduce risk, contact information.

Who do I have to report to?

The Privacy Commissioner, the individuals, and third parties that “may be able to reduce the risk of harm.” That third party requirement will require some pondering.

But wait, there’s more

Perhaps the most challenging aspect is a requirement to maintain a “record of every breach of security safeguards involving personal information under its control.” That must be shown to the Privacy Commissioner on request. The challenge is that there is no threshold, and every breach, even trivial ones, must be recorded.

What are the penalties?

Failure to report when required, and failure to keep the breach records can result in a penalty of up to $100,000.

What do I need to do now?

Businesses should review their privacy policies and processes and amend as needed. Record keeping systems must be put in place for recording all breaches. A breach reporting and incident response process should be put in place.


Cross-posted to Slaw

PIPEDA privacy breach notification regulations published for comment

The draft privacy breach regulations under PIPEDA have just been published.  They are open for comment for 30 days.

These regulations detail the mechanics of notifying the Privacy Commissioner and individuals when there is a privacy breach.   PIPEDA was amended some time ago to require mandatory notification when there is a breach that results in “real risk of significant harm”.  Those provisions will come into force after the regulations are passed.

The draft regulations are about what were expected.  They are similar to those under Alberta privacy legislation.

I agree with David Fraser’s view that section 4(a) that says notification to individuals can be sent “by email or any other secure form of communication if the affected individual has consented to receiving information from the organization in that manner” is uncalled for.  A notice of this nature is not spam, and it does not make sense to require that an individual has given consent for communication in that manner to notify of a privacy breach.  These notifications are for the benefit of the individual, so why make it harder for organizations to send it?

The amendments and regulations have provisions requiring organizations to keep records of all privacy breaches, including information that allows the Privacy Commissioner to determine if the organization properly considered the notice threshold tests.  In other words, organizations must be able to prove that any decision not to notify was justified.

Cross-posted to Slaw

Privacy Commissioner posts new case summaries

Privacy breaches and complaints can often be resolved cooperatively.  We usually hear about the large, dramatic, far reaching breaches more so than the smaller ones that get resolved.

The privacy commissioner just released some examples.

In one example, a malfeasant social engineered some information from customer service representatives that enabled the malfeasant to contact customers and try to obtain more information that could be used for fraud.  The business investigated, contacted the individuals who may have been compromised, and took steps to reduce the chances of it happening again.

In another situation, a rogue employee took customer information which was used to impersonate the company to collect money from a customer.  The business was not very responsive to the customer complaint until the privacy commissioner got involved.   In the end the employee was dismised, the customer made whole, and steps were taken to reduce the chances of it happening again.

From a business perspective, it shows the need to take privacy complaints seriously, and deal with them quickly and effectively.

From a consumer perspective, it shows the need to be cautious when you are asked for your information – especially when someone contacts you.  And be patient when your service providers take steps to make sure you are who you say you are.

Cross-posted to Slaw.

Digital Privacy Act amends PIPEDA

Several amendments were made last week to PIPEDA, the federal private sector privacy legislation.   This has been sitting around in draft for a long time.  Except for sections creating a new mandatory breach notification scheme, the amendments are now in force.  The breach notification scheme requires some regulations before it comes into effect.  More on that at the end of this post.

Several of these changes were long overdue, and bring PIPEDA more in line with some of the Provincial Acts that were drafted after PIPEDA.

Here are some of the highlights that are in force now:

  • The business contact exception from the definition of personal information has been broadened.
  • Provisions have been added to allow the transfer of personal information to an acquiring business for both diligence and closing purposes. Most have been approaching this in a similar way, but vendors/purchasers, and their counsel should make sure they comply with the exact requirements.
  • A new section says consent is only valid if the individual would understand what they are consenting to.  This speaks to the clarity of the explanation, and is particularly important when dealing with children.
  • Several new exceptions to the collection, use and disclosure of personal information without consent have been added.  Such as witness statements, communication to next of kin of ill or deceased persons, and fraud prevention.
  • The Commissioner now has a compliance agreement remedy.

The breach notification sections that come into effect at a later date include:

  • Mandatory reporting to the Commissioner of a breach where “…it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual.”  That test is somewhat subjective, and will no doubt cause some consternation in practice.  Guidance is included on relevant factors to consider and what constitutes “significant harm”.
  • The report must contain certain information and be on a form that will be in the regulations yet to be released.
  • Affected individuals must be similarly notified.
  • Businesses will be required to maintain records of “… every breach of security safeguards involving personal information under its control”, and provide a copy to the Commissioner on request. Note that this is “every” breach without regard to a harm threshold.  This could pose a challenging compliance issue for large organizations.
  • The whistleblowing provision has been amended to allow a complainant to “request” that their identity be kept confidential.
  • The section with the $100,000 fine for interfering with an investigation has been amended to make it an offence to contravene the reporting requirements.  That will make the decision of whether a breach passes the reporting threshold a serious matter to ponder.

Cross-posted to Slaw

Here’s how changes to PIPEDA would work

For the London Free Press – July 8, 2013 – Read this at lfpress.com

The Privacy Commissioner of Canada (OPC) recently released a report recommending reforms to the Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA is the privacy legislation that governs private-sector privacy generally in Ontario and many other provinces.

The report noted that, “Ninety per cent of the data that exists in the world today has been created in the last two years,” and PIPEDA needs to evolve.

The report highlighted four recommendations.

1: Strengthen enforcement and encourage greater compliance

Statutory damages (meaning set damages without any requirement of proof) for certain contraventions of PIPEDA. The report cites the Copyright Act as a successful example of a statutory-damages regime.

Order-making powers to give the Commissioner the ability to issue a binding order to either enforce an action or prevent one from being committed. At present, the Commissioner can only recommend this type of action.

Administrative monetary penalties (AMPs) are suggested as a means of bringing organizations into compliance with PIPEDA. AMPs are similar to fines, but would be assessed directly by the Commissioner.

Why the OPC wants this: “It is legitimate to question how a small entity with limited resources, such as the OPC, can attract the attention of these companies and proactively encourage them to comply with PIPEDA when the reality is that there are very limited consequences for contravening Canadian privacy law.”

2: Shine a light on privacy breaches

Require organizations to report breaches of personal information to the Commissioner and to affected individuals.

Why the OPC wants this: Some organizations voluntarily report and inform individuals of privacy breaches. Some organizations do not. Those that do voluntarily report may face negative financial and reputational consequences while those that do not report may escape any form of recourse. This “creates an uneven playing field for organizations.”

3: Lift the veil on authorized disclosures

PIPEDA allows disclosure of personal information to a government institution without the knowledge or consent of the affected individual, upon request. Organizations may, but don’t always, challenge or refuse these requests. The OPC would require organizations to maintain a record of disclosures to government and make it publically available.

Why the OPC wants this: Canadians seeking access to their personal information would be able to find out if their information had been disclosed. There is no transparency or clear rules about what information can and should be provided to government institutions without a court order.

4: Walk the talk

Enforceable agreements would force an organization, at the end of a privacy investigation, to agree with the Commissioner’s recommendations and to comply within a set time period.

Make accountability provisions subject to review by the Federal Court.

Why the OPC wants this: Monitoring and analyzing a company’s actions are just as time-consuming as the Commissioner’s investigations.


Devil is in the defaults

June 18 2012 for the London Free Press

Read this on Canoe

Canada’s Privacy Commissioner Jennifer Stoddart is concerned that without financial penalties, some social media companies will continue to ignore Canadian privacy laws.

The commissioner recently appeared before the House of Commons to discuss stronger financial penalties for privacy violations in response to what she described as the apparent disregard some social media companies are showing for Canadian privacy laws.

There aren’t any financial penalties for those who violate the Personal Information Protection and Electronic Documents Act (PIPEDA).

“The problem with social media companies is generally their lack of transparency with regulatory authorities,” she said.

Social media companies amass a “staggering” amount of personal information from Canadians, she said, and though strides have been made to protect those details, she still has concerns about how they’re handled.

Social media use continues to grow and plays a predominate role in our everyday lives. The commissioner’s office has been trying to keep pace with the ever-changing developments within this industry.

The commissioner’s office has recognized that social media default settings in effect use opt-out consent for the use of personal information. On some websites, much of the personal information being shared by users, including photographs, marital status, age, and hobbies, is sensitive and should require express consent.

These services often do not inform users of the extent to which their personal information may be shared through default privacy settings.

Stoddart found Facebook was particularly guilty of this, although it’s made some changes to improve notification of the default privacy settings to users.

University of Ottawa law professor Michael Geist suggests that in some respects, social media and Internet companies are the most powerful decision makers regarding privacy.

He says the “devil is in the defaults.” The choices made by social media companies with respect to default privacy settings are the de facto privacy choices for millions of users.

Stoddart says other countries are moving to more robust enforcement regimes, but Canada may fall behind and PIPEDA is too weak from an enforcement perspective.

She hopes MPs will enact greater enforcement powers and greater accountability standards for companies within PIPEDA. Stoddart said with barely any penalties for breaching its provisions, there is little incentive for companies to invest in better data protection. She feels if there were stricter penalties for companies that would affect their bottom line, they would be more inclined to adhere to the privacy laws.

Questions to ponder include:

Would the ability to collect financial penalties for PIPEDA violations make a difference?

Does the newness of social media products make it inherently difficult to get privacy right?

Does the complexity of social media products make it inherently difficult to create clear and simple privacy policies and choices?

Given pressure to generate revenue, do social media companies tend to set default choices to favour greater use of user data over privacy?

Do some social media companies just not put enough thought into privacy issues upfront?


PIPEDA amendments in force April 1

That’s the title of my Slaw post for today.  It reads as follows.

We have mentioned before that the Anti-Spam act (bill c-28) will not come into force until the fall. (It may potentially be delayed because the election has delayed the creation of the regulations that must be in place before it is in force.) Several sections of the act that amend PIPEDA (Personal Information Protection and Electronic Documents Act) were however proclaimed in force effective April 1

The PIPEDA amendments from the Anti-Spam act are in force to the extent that they are administrative in nature. Those that interact with the anti-spam provisions are not yet in force, and presumably will come into force at the same time as the Anti-Spam act.

These are some of the noteworthy changes.

A new section 12 gives the Commissioner the ability to refuse to investigate a complaint in certain circumstances. Essentially if there is a better forum for the complaint, or if a compliant is not filed within a reasonable time.

Section 12.2 gives the Commissioner the ability to discontinue a complaint in certain circumstances, such as where there is insufficient evidence, the complaint is frivolous, the organization has given a fair and reasonable response, or where it has been addressed in another procedure.

A new section 23 expands the scope of permitted sharing of information by the Commissioner with provincial and international counterparts. The idea is to foster co-operation in investigations.

And of course the bill that proposed specific changes that arose from the 5 year PIPEDA review died with the election. It contained many housekeeping changes that were essentially shortcomings to the legislation raised by experience. It also contained new things like notice requirements for privacy breaches. We will have to wait for a while to see what happens to that draft bill.