The Personal Information Protection and Electronic Documents Act’s (PIPEDA) new Breach Notification Rules will come into force on November 1, 2018.  This article provides a brief synopsis of what these rules entail, but it should not be construed as legal advice.  Members of the Winnipeg Chamber of Commerce are encouraged to speak with legal counsel to better understand how the Rules will affect their business.

In order for the Rules to apply, there must be a loss of, unauthorized access to or unauthorized disclosure of personal information that is under the control of a member (in other words, a “breach”).

It is important to note that responsibility for the reports/notifications outlined below will lie with the member if the member controls the personal information.  However, if a breach occurs at, for example, an arm’s length storage facility hired by the member to store personal information, it will be BOTH the member’s responsibility and the storage facility’s responsibility to comply with the Rules.

The Rules outline that if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual, the member (and if applicable, any other third party) is then obligated, as soon as it is feasible to do so, to:

• file a report with the Privacy Commissioner of Canada;
• notify the individual(s) whose personal information was breached; and,
• notify any other organization or government entity that may be able to assist in reducing or lessening any harm to individuals (e.g. the police, credit reporting agencies, etc.).

In the report filed with the Privacy Commissioner of Canada, the member must (to the extent that the member knows):

• describe the circumstances of the breach and the cause;
• identify the period when the breach occurred;
• describe the personal information that is the subject of the breach;
• identify the number of individuals affected;
• describe the steps undertaken to reduce or lessen the risk of harm to the affected individuals;
• describe the steps undertaken to notify the affected individuals; and,
• identify the contact person at the member who will be able to answer any further questions from the Privacy Commissioner.

It is expected that this report will be updated as information is further gathered/determined.

In the notification provided to the individual, the member must (to the extent that the member knows):

• describe the circumstances of the breach;
• identify the period when the breach occurred;
• describe the personal information that is the subject of the breach;
• describe the steps undertaken to reduce or lessen the risk of harm to the individual;
• describe the steps that the individual could take to reduce their risk of harm (e.g. changing passwords, monitoring financial account activity, etc.); and,
• identify the contact person at the member who will be able to answer any further questions from the individual.

The goal of the notification to the individual is to provide sufficient information to allow the individual to understand the significance to them of the breach, such that they can take steps, if any are possible, to reduce the risk of harm.

Also, it is expected that the individuals affected will be directly contacted by the member (phone, email, mail, etc.), subject to exceptions of harm to the individual and/or hardship to the member and/or lack of contact information.  If any of the exceptions apply, indirect notification—via public communications (e.g. media, website, etc.)—will need to be utilized.

The legislation specifies that “significant harm” includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record, and damage to or loss of property.

In determining whether there is a “real risk” of such harm, the sensitivity of the information and the probability that it will be misused need to be considered.

It is important to note that if a breach occurs—and it is determined by the member that it does NOT create a real risk of significant harm to an individual—the member must still maintain a record of the breach for at least two (2) years thereafter.  The purpose for retaining these records is to allow the Privacy Commissioner to verify a member’s compliance with the Rules.  Therefore, if a breach is not reported to the Privacy Commissioner, the information that would have been provided to the Privacy Commissioner, if it had been reported, must be maintained.

Most importantly, these Rules provide for fines of up to $100,000 if an organization knowingly violates their obligations.