In previous posts, I outlined the mandatory breach notification provisions under the Alberta Personal Information Protection Act (“PIPA”), I examined the test used by the Alberta Privacy Commissioner in determining whether to order individual breach notification and I described the consequences of failing to comply with the mandatory breach notification provisions of PIPA.
This post picks up from where I left off by describing the proposed amendments to the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”) introduced in September 2011 in Bill C-12, which has not yet progressed further than First Reading in the Canadian House of Commons. In the next post in this series, I will compare these proposed amendments federal amendments to the existing Alberta provisions. Future posts will track the progress of Bill C-12.
Test for notification to the federal Privacy Commissioner
The proposed amendments to PIPEDA require an organization to notify the Office of the Privacy Commissioner of Canada of a ”material breach of security safeguards” involving personal information under the control of the organization.
What is a breach of security safeguards?
A “breach of security safeguards” is defined to mean the loss of, unauthorized access to, or unauthorized disclosure of personal information that results from either a breach of security safeguards described in the privacy principles in Schedule 1 to PIPEDA or the failure to establish safeguards in accordance with those privacy principles.
In summary, the security safeguard principles set out in Schedule 1 of PIPEDA are:
- personal information must be protected against loss, theft, and unauthorized access, disclosure, copying, use, or modification;
- sensitive information should be safeguarded by a higher level of protection;
- methods of protection should include: (a) physical measures, for example, locked filing cabinets and restricted access to offices; (b) organizational measures, for example, security clearances and limiting access on a “need-to-know” basis; and (c) technological measures, for example, the use of passwords and encryption; and
- disposal and destruction should be through secure methods.
What is a material breach?
Relevant factors for determining whether a breach of security safeguards is material include:
- the sensitivity of the personal information;
- the number of individuals whose personal information was involved; and
- an assessment by the organization that the cause of the breach or a pattern of breaches indicates a systemic problem.
Test for individual breach notification
An organization must make individual breach notification if:
- it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual; and
- there is no other law that would prohibit such disclosure.
What is significant harm?
“Significant harm” includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.
Relevant factors for determining whether there is a “real risk” of significant harm include:
- the sensitivity of the personal information involved in the breach; and
- the probability that the personal information has been, is being or will be misused.
How quickly must notification occur?
Notification to the Privacy Commissioner must be made as soon as is feasible after discovering the breach. Notification to individuals must be made as soon as is feasible after concluding that the test for individual beach notification must be met. Notification must occur in a prescribed form and must generally be direct notification.
Test for third party notification
The proposed amendments also require an organization that makes individual breach notification to notify other organizations or government institutions if the risk of the harm could be mitigated by doing so. For example, this might include making a notification to credit reporting agencies in cases where there is a real risk of identity theft that could be ameliorated with cautions on credit reports.
Penalties for non-compliance
Complaints regarding non-compliance with the mandatory breach notification provisions may be made to the Privacy Commissioner. The Privacy Commissioner may investigate and make recommendations and findings. Although the Privacy Commissioner does not have order-making powers, complainants may seek monetary damage awards before the Federal Court in certain circumstances.