On September 2, 2017, the Ministry of Innovation, Science and Economic Development Canada (ISED) published draft Breach of Security Safeguards Regulations. The draft Regulations will be open for comment for 30 days. If the Regulations are not further amended by ISED, they may be registered and republished. ISED has stated that there will be a delay between finalizing the Regulations and their coming into force to permit organizations time to implement any necessary organizational changes.
ISED has drafted Regulations that hew close to similar regulations under Alberta’s Personal Information Protection Act. Far from being unsettling, this sense of déjà vu will be welcome for organizations concerned about coping with divergent requirements.
However, there are still some important differences to note:
1. Reporting to the regulator can focus on the cause of the breach rather than speculate about the harm
The content of the report to the Office of the Privacy Commissioner of Canada (OPC) tracks fairly close to the content required under Alberta’s law. Perhaps as a matter of clarification more than a substantive difference, the federal Regulations specify that the report should include the “cause” of the breach if known. However, one significant difference is that organizations are not required to engage in speculation about the potential harm to individuals. This will be highly appreciated by organizations who have had to deal with Alberta’s law.
2. Organizations must make it easy on individuals to get information or to complain
The content of the notices to individuals of a breach are also similar to those in Alberta. However, ISED has included some consumer-friendly requirements. First, individuals should have a toll-free number to contact someone who can answer questions on behalf of the organization (or an email address). Second, individuals must be informed about the organization’s internal complaint process. Finally, individuals must be advised of their right to complain to the OPC about the breach.
3. There is flexibility with respect to the manner of reporting
The federal Regulations specifically provide that notices to individuals can be provided:
- by email or other secure forms of communication (to which the individual has consented)
- by letter
- by telephone
- in person
Moreover, organizations can opt for indirect notification (without having to pre-clear this with the OPC) if direct notification would cause harm to the individual, the cost of direct notification would be prohibitive to the organization, or the organization does not have current contact information. Indirect notification can be made by conspicuous posting of the notice on the organization’s website for 90 days (or more) or by means of an advertisement that is likely to reach the affected individuals.
4. Record-keeping is much less onerous than feared
One difference between the Alberta law and the federal Personal Information Protection and Electronic Documents Act (PIPEDA), is that PIPEDA requires an organization to maintain a record of every breach of security safeguards even if that breach does not result in a real risk of significant harm to an individual.
The ISED has heard the concerns raised by organizations about this provision. Organizations only need to maintain records for 2 years. The form and content of the records are up to the organization provided that they contain enough information to allow the OPC to assess whether the organization was making any required reports to the OPC and required notifications to affected individuals. Since a report to the OPC containing the prescribed elements would be sufficient as a record, this appears to mean that the type of information that must be kept does not include a written assessment of the risk of harm.
Read the draft Regulations here.…