In 2015 Canada amended its digital privacy laws, except for proposed provisions relating to mandatory breach reporting and record keeping. Last April, the Canadian government published new rules to implement the mandatory breach reporting and record keeping provisions and bring the Personal Information Protection and Electronic Documents Act (PIPEDA) more closely in line with the European Union’s (EU) General Data Protection Regulation (GDPR). The new PIPEDA rules went into effect on November 1st, and affect how Canadian businesses respond to personal data breaches.
The requirements are simple: report when a breach results in a “real risk of significant harm” and maintain records of all breaches for at least two years.
PIPEDA applies to many organizations in Canada that collect, use, or disclose personal information for the purpose of commercial activity. The new rules regarding breach reporting and record keeping apply to all businesses, regardless of size, that are normally governed by PIPEDA.
Report when there is a ‘real risk of significant harm’
The new PIPEDA rules state that breaches resulting in a “real risk of significant harm” must be reported to the the Office of the Privacy Commissioner of Canada (OPC) and to the affected individuals. “Significant harm” is defined to include “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.” A determination of “real risk” requires consideration of “the sensitivity of the personal information involved” and “the probability the personal information has been/is/will be misused.”
Some cases of real risk of significant harm are clear. Others are not. The risk may also vary from business to business. The OPC suggests that companies develop a framework that will allow the determination to be made quickly and accurately when a breach occurs.
Developing this framework is similar to conducting a risk assessment and involves identifying the personal data a business collects, uses, or discloses, and considering what would happen should that information fall into the wrong hands. A ranking system that tags the consequences as “benign,” “of minor harm,” or “of significant harm” will give a clear context for when a breach should be reported. Developing this framework up front will make it much easier to respond to a breach effectively and in full PIPEDA compliance.
Keep records of all breaches for at least two years
Even if a breach doesn’t result in a real risk of significant harm, businesses must keep the records of all personal data breaches for at least two years. Much like safety incident reporting, the record for even a small, seemingly harmless violation, such as an employee inadvertently accessing a file without authorization, must be kept. At a minimum, that record should contain the date of the incident, a description of the breach, the type of information that was compromised, any analysis of whether the breach gave rise to a “real risk of significant harm”, and whether or not the breach was reported and to whom.
PIPEDA now more closely mirrors the GDPR
When the GDPR went into effect last May, it set the bar high when it comes to legislating data security measures. PIPEDA has adjusted its rules to more closely match the EU breach reporting requirements, giving Canadians a greater sense of security and supporting Canada-EU trade.
As a company located in Vancouver, Canada, but with customers in the US and the EU, Hushmail maintains compliance with all three major data security rules - the GDPR, HIPAA, and PIPEDA. In doing so, we not only assure our customers of the security of their encrypted email service, but also contribute to the global effort to make online business more transparent, reliable, and secure.
New Personal Information Protection and Electronic Documents Act (PIPEDA) rules went into effect on November 1st, affecting how Canadian businesses respond to personal data breaches. The rules are simple: report when a breach results in a “real risk of significant harm” and maintain records of all breaches for at least two years regardless of whether or not the breach caused harm.