The draft privacy breach regulations under PIPEDA have just been published. They are open for comment for 30 days.
These regulations detail the mechanics of notifying the Privacy Commissioner and individuals when there is a privacy breach. PIPEDA was amended some time ago to require mandatory notification when there is a breach that results in “real risk of significant harm”. Those provisions will come into force after the regulations are passed.
The draft regulations are about what were expected. They are similar to those under Alberta privacy legislation.
I agree with David Fraser’s view that section 4(a) that says notification to individuals can be sent “by email or any other secure form of communication if the affected individual has consented to receiving information from the organization in that manner” is uncalled for. A notice of this nature is not spam, and it does not make sense to require that an individual has given consent for communication in that manner to notify of a privacy breach. These notifications are for the benefit of the individual, so why make it harder for organizations to send it?
The amendments and regulations have provisions requiring organizations to keep records of all privacy breaches, including information that allows the Privacy Commissioner to determine if the organization properly considered the notice threshold tests. In other words, organizations must be able to prove that any decision not to notify was justified.
Cross-posted to Slaw
Several amendments were made last week to PIPEDA, the federal private sector privacy legislation. This has been sitting around in draft for a long time. Except for sections creating a new mandatory breach notification scheme, the amendments are now in force. The breach notification scheme requires some regulations before it comes into effect. More on that at the end of this post.
Several of these changes were long overdue, and bring PIPEDA more in line with some of the Provincial Acts that were drafted after PIPEDA.
Here are some of the highlights that are in force now:
- The business contact exception from the definition of personal information has been broadened.
- Provisions have been added to allow the transfer of personal information to an acquiring business for both diligence and closing purposes. Most have been approaching this in a similar way, but vendors/purchasers, and their counsel should make sure they comply with the exact requirements.
- A new section says consent is only valid if the individual would understand what they are consenting to. This speaks to the clarity of the explanation, and is particularly important when dealing with children.
- Several new exceptions to the collection, use and disclosure of personal information without consent have been added. Such as witness statements, communication to next of kin of ill or deceased persons, and fraud prevention.
- The Commissioner now has a compliance agreement remedy.
The breach notification sections that come into effect at a later date include:
- Mandatory reporting to the Commissioner of a breach where “…it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual.” That test is somewhat subjective, and will no doubt cause some consternation in practice. Guidance is included on relevant factors to consider and what constitutes “significant harm”.
- The report must contain certain information and be on a form that will be in the regulations yet to be released.
- Affected individuals must be similarly notified.
- Businesses will be required to maintain records of “… every breach of security safeguards involving personal information under its control”, and provide a copy to the Commissioner on request. Note that this is “every” breach without regard to a harm threshold. This could pose a challenging compliance issue for large organizations.
- The whistleblowing provision has been amended to allow a complainant to “request” that their identity be kept confidential.
- The section with the $100,000 fine for interfering with an investigation has been amended to make it an offence to contravene the reporting requirements. That will make the decision of whether a breach passes the reporting threshold a serious matter to ponder.
Cross-posted to Slaw