Part 1 – The Amendment
It has become a bit of a jingle – “the question is not if your organization will get hacked, it’s when” – but Canadian lawmakers are taking this mentality seriously. There is a clear commitment in Canada to ensure that individuals retain power over their personal information; how it is used; and, most importantly, how it is protected by organizations.
Earlier this year, the EU passed the revolutionary General Data Protection Regulation (GDPR). On November 1, 2018, the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) will be amended to include mandatory breach notification rules, which are similar to the provisions included in the GDPR. On an International scale, Canada is seen as a leader in personal data protection and the changes to the existing legislation further reinforces that image.
The amendment will require that organizations do three things:
- Report data breaches to the Privacy Commissioner of Canada;
- Notify the individuals who were affected by a data breach; and,
- Keep records of every breach of security safeguards.
These requirements will apply to every organization that collects, uses, or discloses personal information in the course of commercial activities in Canada.
The drafters of the legislation prescribe targeted requirements. For instance, a “breach of security safeguards” is defined as a loss of, unauthorized access to, or unauthorized disclosure of personal information resulting from a breach of the organizations security safeguards. This type of breach ranges from an employee accessing a consumer’s personal information without authorization (i.e., a bank teller accessing information of an ex-spouse to see what they were spending money on) to an outside hacker accessing the organization’s network through illicit means. All breaches of security safeguards must be recorded by the organization and are subject to review by the Privacy Commissioner of Canada.
However, not every breach will require the organization to notify the consumer and be reported to the Privacy Commissioner. Only those breaches that pose a real risk of “significant harm” will trigger these obligations. The current PIPEDA does not define the term “significant harm”; however, the new PIPEDA defines it as including bodily injury, humiliation, damage to reputation or relationships, loss of employment, identity theft, negative effects on the credit report and damages to or loss of property.
In the course of determining whether a breach will cause significant harm, the organization must balance a number of factors including the sensitivity of the personal information; the probability of the information being misused; and other relevant factors specific to each case.