1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

Déjà Vu – Canada’s Breach Reporting and Notification Requirements

On September 2, 2017, the Ministry of Innovation, Science and Economic Development Canada (ISED) published draft Breach of Security Safeguards Regulations. The draft Regulations will be open for comment for 30 days. If the Regulations are not further amended by ISED, they may be registered and republished. ISED has stated that there will be a delay between finalizing the Regulations and their coming into force to permit organizations time to implement any necessary organizational changes.

ISED has drafted Regulations that hew close to similar regulations under Alberta’s Personal Information Protection Act. Far from being unsettling, this sense of  déjà vu will be welcome for organizations concerned about coping with divergent requirements.

However, there are still some important differences to note:

1.  Reporting to the regulator can focus on the cause of the breach rather than speculate about the harm

The content of the report to the Office of the Privacy Commissioner of Canada (OPC) tracks fairly close to the content required under Alberta’s law. Perhaps as a matter of clarification more than a substantive difference, the federal Regulations specify that the report should include the “cause” of the breach if known. However, one significant difference is that organizations are not required to engage in speculation about the potential harm to individuals. This will be highly appreciated by organizations who have had to deal with Alberta’s law.

2.  Organizations must make it easy on individuals to get information or to complain

The content of the notices to individuals of a breach are also similar to those in Alberta. However, ISED has included some consumer-friendly requirements. First, individuals should have a toll-free number to contact someone who can answer questions on behalf of the organization (or an email address). Second, individuals must be informed about the organization’s internal complaint process. Finally, individuals must be advised of their right to complain to the OPC about the breach.

3.  There is flexibility with respect to the manner of reporting

The federal Regulations specifically provide that notices to individuals can be provided:

  • by email or other secure forms of communication (to which the individual has consented)
  • by letter
  • by telephone
  • in person

Moreover, organizations can opt for indirect notification (without having to pre-clear this with the OPC) if direct notification would cause harm to the individual, the cost of direct notification would be prohibitive to the organization, or the organization does not have current contact information.  Indirect notification can be made by conspicuous posting of the notice on the organization’s website for 90 days (or more) or by means of an advertisement that is likely to reach the affected individuals.

4. Record-keeping is much less onerous than feared

One difference between the Alberta law and the federal Personal Information Protection and Electronic Documents Act (PIPEDA), is that PIPEDA requires an organization to maintain a record of every breach of security safeguards even if that breach does not result in a real risk of significant harm to an individual.

The ISED has heard the concerns raised by organizations about this provision. Organizations only need to maintain records for 2 years. The form and content of the records are up to the organization provided that they contain enough information to allow the OPC to assess whether the organization was making any required reports to the OPC and required notifications to affected individuals. Since a report to the OPC containing the prescribed elements would be sufficient as a record, this appears to mean that the type of information that must be kept does not include a written assessment of the risk of harm.

Read the draft Regulations here.

, ,

Déjà Vu – Canada’s Breach Reporting and Notification Requirements

CASL Private Right of Action Delayed (Indefinitely)

The Government of Canada has repealed the coming into force of the private right of action for violations of Canada’s Anti-Spam Legislation (CASL). The Government has listened to concerns raised by businesses, charities and the not-for-profit sector about the implementation of CASL, which would have permitted individuals to sue for violations of the law.

The Government has also acknowledged that “businesses, charities and non-profit groups should not have to bear the burden of unnecessary red tape and costs to comply with the legislation” and has asked a Parliamentary Committee to review the legislation.

Read the Press Release here.

,

CASL Private Right of Action Delayed (Indefinitely)

Workplace Performance Concerns Lead to Privacy Violation

A recent Order of the Office of the Information and Privacy Commission of Alberta (OIPC) provides guidance on potential privacy traps when managing performance issues in the workplace.

Two coworkers of the complainant were concerned about the complainant’s workplace performance. The reasons are opaque but there may have been health issues such as substance abuse requiring rehabilitation. The coworkers who were friends of the complainant emailed and texted the parents of the complainant. At least one of the coworkers also provided information to the employer apparently at the request of the employer.

Ultimately, the adjudicator concluded that the coworkers were acting in a personal capacity when communicating with the parents (this was more by luck than design in one case). But, the employer was found to have violated the Alberta Personal Information Protection Act (PIPA) by failing to have a policy or otherwise notifying the complainant on the circumstances in which it might collect performance-related personal information from coworkers.

Were the communications to the parents in the course of employment?

If the coworkers communicated personal information about the complainant to her parents, this would have violated PIPA, as a disclosure without consent. The organization argued that the coworkers were not acting on behalf of the employer when they wrote to the complainant’s parents and disclosed information about her performance at work and their concerns about the complainant’s personal life. One of the emails was sent using the coworker’s work email address. However, the adjudicator concluded that this was not determinative since the coworker said that she was writing from that email account so that it would appear legitimate and provided her personal email account address as contact information.

The text messages were more complicated. The coworker sending those messages initially conveyed personal information about the complainant. However, in subsequent messages, this coworker relayed information about the steps the employer intended to take to address the complainant’s work performance and that the employer wanted to arrange a meeting with the complainant, the complainant’s mother and the coworkers. Ultimately the adjudicator concluded that the personal information that was disclosed in the text messages was done in the context as a friend of the coworker and not as a representative of the employer. As for the subsequent texts, the adjudicator concluded it was possible that the coworker was acting as an employee of the employer (with or without authority) but at that point the discussions were about a meeting and did not reveal further personal information.

Was providing the information to the employer done in the course of employment?

The adjudicator accepted that a coworker might provide personal information about another employee in their personal capacity rather than in the course of their employment. The adjudicator concluded that the key issue was the circumstances in which the information was provided. The adjudicator concluded that “[w]hen the information is provided in the workplace, and especially where it is solicited by someone in the organization that has the ability to deal with performance issues (as the employer does here), it seems to be reasonable to assume that the information is being provided as an employee, and not in a personal capacity.”

Did the employer violate the complainant’s privacy?

The adjudicator accepted that the complainant’s personal information at issue was information that would be useful in managing the employment relationship with the complainant and, therefore, the information was employee personal information. This was significant because there is more latitude to use and disclose employee personal information without consent. However, in order to use or disclose employee personal information without consent, the employer must provide reasonable notice to the individual. The notification must be given before the information is used and disclosed.

The adjudicator accepted that reasonable notice could include a policy on how an organization deals with performance or disciplinary issues or when feedback may be requested from coworkers, provided the policy was brought to the attention of employees. Alternatively, in this case, the employer could have approached the complainant first to discuss the performance concerns and advising the complainant that the employer may need to seek input from the coworkers. The employer failed to do so.

Key Takeaways

Employers should make sure that employee privacy policies or codes of conduct contain explicit reference to the need to gather information from coworkers in some cases in order to manage performance issues and how the employer will respond to unsolicited performance concerns by coworkers. This case did not involve an investigation into a harassment or other violation and so the exceptions for investigations did not apply.

This case also provides another reason to educate employees on obligations under personal information legislation. One could easily imagine other scenarios in which well-intentioned employees may be found to be acting in the course of their employment when communicating with family members or other friends of a coworker.

, ,

Workplace Performance Concerns Lead to Privacy Violation

A Cautionary Tale Regarding Consent and In-Store Tablets

The Office of the Privacy Commissioner (OPC) recently released a case summary with implications for retailers attempting to obtain consent for privacy-compliance or anti-spam compliance purposes.

Consistent with guidance by the Canadian Radio-television Telecommunications Commission (CRTC) with respect to Canada’s Anti-Spam Legislation, the OPC is taking a harder line with respect to the business records that an organization must retain in order to establish that an individual gave consent. The bottom-line is that the practice of obtaining consent by either having the individual or the salesperson check a box is vulnerable to challenge. Organizations should only use methods of obtaining consent that involve corroborative evidence.

Background

The complaint arose out of a dispute with respect to whether an individual had applied for a co-branded credit card with a retailer. While shopping in a retail store, the complainant was approached to join a loyalty program. The individual provided the salesperson with his driver’s licence as part of the registration.

Later, the individual received a credit card and learned that a credit check had been conducted on him. After obtaining access to the information held by the bank that provided the credit card, the complainant discovered that much of the information on the application was inaccurate and asserted that he had not provided that information to the salesperson. He also argued that he did not check the box on the tablet to permit a credit check.

The OPC concluded that the bank could not establish that it had obtained consent and that the information collected from the complainant was accurate. There was no evidence that the complainant ever saw the tablet screen, provided the information in the application, understood that the information would be used for a credit check or that the individual actually clicked the consent box on the tablet.

No Recognition of Canada Evidence Act

Certainly, the circumstances of this case were suspicious. However, bad facts can make for bad legal interpretations. That seems to be the case here. The OPC appears to believe that organizations must retain independent proof that consent has been obtained. This is similar to guidance form the CRTC’s guidance that oral consent to receive commercial electronic messages must be backed up with an audio recording or third party verification.

This guidance fails to directly engage with the laws of evidence within which both the Personal Information Protection and Electronic Documents Act and Canada’s Anti-Spam Legislation exist.  The Canada Evidence Act specifically contemplates that the business records, including electronic business records, are admissible for the proof of what is recorded in them. While other evidence may raise concerns regarding their accuracy or veracity, as in the case before the OPC, they are not inherently inadequate as the OPC and CRTC seem to suggest. In an informal administrative process such as the one before the OPC, the OPC may be free to ignore the law of evidence. However, this would not be the case before the Federal Court.

The real issue should have been that the organization was unable to establish that it audited compliance of the salespersons such as through secret shoppers or that the organization confirmed the individual’s consent by sending the individual a copy of the application once completed.

Conclusion

Be forewarned: organizations should have some means of corroborating their records when obtaining oral consent from individuals in retail stores in order to avoid problems with the OPC and the CRTC. To access the OPC’s decision, click here: PIPEDA Case Summary 2016-12.

A Cautionary Tale Regarding Consent and In-Store Tablets

New Guidance on Disclosure Exceptions for Investigations and Fraud

On March 17, 2017, the  Office of the Privacy Commissioner of Canada (OPC) published guidance on two new exceptions in PIPEDA permitting disclosure without consent. The guidance is very helpful to interpreting these new provisions and the OPC’s expectations of organizations. However, as expected, there is an undercurrent to the guidance suggesting that that the OPC would like to restrict organizations from setting up systematic information-sharing programs. This is very unfortunate given that these provisions are directly connected to improving confidence in the digital economy. Systematic sharing of information, particularly for fraud detection, suppression and prevention should be able to be accomplished if PIPEDA is truly technologically neutral. Without these tools, the OPC is incentivizing organizations to use much less transparent methods, such as predictive analytics.

Background

The Digital Privacy Act, 2015, amended Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) to lower the threshold for when an organization could share personal information without the knowledge or consent of the individual for the purposes of an investigation into a breach of an agreement or a contravention of the laws of Canada. In addition, the Digital Privacy Act, 2015, added a new exception to PIPEDA to permit the disclosure of personal information without the knowledge or consent of the individual for the purpose of the detection or suppressing fraud or preventing fraud that is likely to be committed.

7(3) […] an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is

(d.1) made to another organization and is reasonable for the purposes of investigating a breach of an agreement or a contravention of the laws of Canada or a province that has been, is being or is about to be committed and it is reasonable to expect that disclosure with the knowledge or consent of the individual would compromise the investigation;

(d.2) made to another organization and is reasonable for the purposes of detecting or suppressing fraud or of preventing fraud that is likely to be committed and it is reasonable to expect that the disclosure with the knowledge or consent of the individual would compromise the ability to prevent, detect or suppress the fraud;

The OPC did not support these amendments. Even before these amendments were passed and came into force, the OPC was sounding alarms that it would interpret these provisions narrowly.  In particular, the OPC was concerned about two issues:

First, the triggering threshold for a permitted disclosure was changed. Under the previous provisions, organizations had to have reasonable grounds to believe that the information related to a breach of an agreement or contravention of law. Following the amendments, an organization only had to determine that the disclosure was reasonable for the purpose of investigating a breach of an agreement or a contravention of a law or reasonable for the purpose of detecting, suppressing or preventing fraud.

Second, the range of purposes were too broad in the OPC’s view. In particular, the OPC was concerned about the possibility of oversharing under the fraud exception.

OPC Guidance

The OPC’s guidance is an attempt to ensure that organizations interpret these provisions narrowly. Although the OPC does not state expressly state that organizations cannot participate in systematic programs to attempt to detect or prevent fraud or breaches of agreements, it is clear that the OPC would prefer that these exceptions be used in isolated circumstances. This is particularly evident in the OPC’s statement that organizations must be able to establish on a case-by-case basis the reasons why it determined that disclosure was appropriate.

The OPC recommends that organizations prepare policies and procedures and to make those available to individuals. The OPC reminds organizations that individuals have the right to make an access request and obtain an account of the third parties to which information has been disclosed. The OPC would also like to see organizations report publicly on the number and type of disclosures made. It should be noted that there is no legislative basis that would require such reporting.

To satisfy the OPC’s concerns about indiscriminate use of these provisions, organizations should develop polices and procedures to ensure that the preconditions to disclosure are met and should make these policies and procedures available on demand.

Although the OPC seems to suggest that organizations should include disclosure of the use of these exceptions, it does not appear to be legislatively required to advise individuals in a privacy notice that the organization may use a lawful exception to disclose information without consent. Any such disclosure would have to be at a very high level unless the organization was participating in a systematic program to share information. What could an organization meaningfully say in the case of a disclosure under the investigation exception? Nevertheless, there are clear benefits to at least mentioning the possibility of these types of disclosures to prevent later accusations that the organization failed to be transparent.

Recommendations

When developing a policy or procedure for disclosures relating to an investigation into a breach of an agreement or the contravention of a law of Canada, organizations should require that, at a minimum, the following criteria (and the common criteria set out below) are met before disclosure:

  • If the investigation relates to a law, it is a law of Canada. The law should be specified and documented. A breach of a foreign law is not covered by this exception.
  • If the investigation relates to a breach of an agreement, the agreement is documented and in force at the time of the alleged breach.
  • The breach or contravention has already taken place, is ongoing or is about to happen. This suggests that the organization must document must be some credible evidence of a breach of the agreement or a contravention of a law of Canada.
  • The investigation is a bona fide formal or systematic inquiry to determine the facts. It cannot be a fishing expedition or gossip.

The following are the minimum criteria for disclosures relating to detecting or suppressing fraud or of preventing fraud:

  • If the disclosure relates to detecting or suppressing fraud or preventing fraud that is likely to be committed.
  • In the case of preventing fraud, the risk of fraud is probable and not merely possible .
  • The type of fraud that is in issue should be documented.

The following common criteria apply to disclosures under either provision:

  • If the organization has received a request for disclosure under these provisions, the request provides sufficient information to ensure that the rationale for disclosure is documented in the request. Requests should not be taken at face value.
  • The disclosure will be made from one organization to another organization. These provisions do not permit disclosure to law enforcement or family members.
  • The disclosure is reasonably related and proportionate to the investigation of the breach of an agreement or a contravention of law or to the activities of detecting or suppressing fraud or preventing fraud that is likely to be committed. Organizations should document their rationale for why the information is necessary to assist in the investigation or is rationally connected to and effective the detection, suppression or prevention of fraud.
  • Obtaining the consent of the individual would compromise the investigation or the fraud detection, suppression or prevention purposes. The rationale for the organization’s decision should be documented.

For the text of the OPC’s Guidance, see: Applying paragraphs 7(3)(d.1) and 7(3)(d.2) of PIPEDA

,

New Guidance on Disclosure Exceptions for Investigations and Fraud