The change: In November of 2018, an amendment to the reporting rules in the Personal Information Protection and Electronic Documents Act (PIPEDA), came into effect.  The changes bring in a new requirement for organizations that gather personal information to report a breach of a security safeguard if it is reasonable to assume that there is a real risk of significant harm to the affected individual(s). The report must be made to the Office of the Privacy Commissioner of Canada (OPC). It also creates liability in both instances when a report is not provided or when security safeguards have not been established.  This reporting obligation is applicable to all organizations covered by PIPEDA, including small businesses, as is the obligation to keep records of breaches.

What’s a Breach? A breach of a security safeguard is defined as “the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards that are referred to in clause 4.7 of Schedule 1 of PIPEDA, or from a failure to establish those safeguards.”  

What Constitutes a Real Risk of Harm? A real risk of significant harm includes: bodily harm, humiliation, damages to reputation, financial loss, identity theft, and loss of employment or professional opportunities. Factors taken into account for this risk are the sensitivity of information and the likelihood of misuse of the affected personal information.   

Third-Party Information Processing: Where more than one organization is involved, the duty to report falls upon the organization that was in control of the information.  The term “control” is not defined, however it appears that where a breach occurs during the transfer of information to a third party for processing, the organization that had the information remains in “control” and responsible for that information. If a breach occurs while with the third-party processor, the report would still be from the initiating organization, unless there are contractual provisions that stipulate otherwise.

The Report & Record: A form of report may be obtained on the OPC website.  Whether reported or not, a record must be kept by the organization and retained for at least two years.  Each record should include the date of the breach, a description of the breach and circumstances, the nature of information involved in the breach, and whether or not the breach was reported to the Privacy Commissioner and/or individuals affected. The report must include sufficient detail to allow for the OPC to assess whether the organization is in compliance with the required security safeguards as well as whether the organization has appropriately used the substantial harm standard.

Get Some Help. If your business has experienced a breach of a security safeguard, get some help in assessing the risk of significant harm, and then determining how best to notify those impacted.  As always, Barriston is here to help deliver peace of mind.

Joanne McPhail and Brock Withey