Consultations on breach reporting regulations under PIPEDA now underway
In June 2015, the Parliament of Canada adopted the Digital Privacy Act
(the Act) that amends PIPEDA to provide for mandatory breach reporting to the privacy commissioner and the affected individuals in circumstances very similar to those under Alberta’s Personal Information Protection Act
. However, the reporting requirements do not come into effect until the regulations regarding the particulars of the notice have been enacted.
So now is the time to help shape the regulations that will define your obligations moving forward.
It will be recalled that the Act requires breach reporting if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm. It provides for three criteria to be considered when determining the answer to that question.
Stakeholders are being asked some 26 questions
on a range of issues, including whether the criteria to be used for breach reporting should be further defined, whether the content of the notice should be mandated as well as whether and for how long details of any breach – even those not meeting the mandatory notice threshold – should be retained.
Preserving reporting flexibility
Under the Act and the Alberta legislation, organizations now have considerable latitude in the means of communicating information about a breach (email, in person, by mail) and the contents of that communication to the individuals affected provided that the notice is sufficiently detailed to permit individuals to mitigate their damages. This flexibility has served organizations well in the context of breaches covered by Alberta’s legislation and if stakeholders feel it should be preserved they should speak up now.
Equally worthy of commentary are the proposals concerning notice of the breach to third parties who are in a position to attenuate the risk of prejudice.
Adjustments for specific industries are possible
The proposed regulations have the potential to affect all businesses in Canada. Because the government has shown an openness to consider tailoring some of their provisions to industries demonstrating a need, it is important to speak up now.
After this initial consultation period, which comes to a close at the end of May, the government will publish draft regulations and will allow further public comment. However, it is always better to shape the regulations before they are published than attempt to modify them once they have been drafted.