1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

Déjà Vu – Canada’s Breach Reporting and Notification Requirements

On September 2, 2017, the Ministry of Innovation, Science and Economic Development Canada (ISED) published draft Breach of Security Safeguards Regulations. The draft Regulations will be open for comment for 30 days. If the Regulations are not further amended by ISED, they may be registered and republished. ISED has stated that there will be a delay between finalizing the Regulations and their coming into force to permit organizations time to implement any necessary organizational changes.

ISED has drafted Regulations that hew close to similar regulations under Alberta’s Personal Information Protection Act. Far from being unsettling, this sense of  déjà vu will be welcome for organizations concerned about coping with divergent requirements.

However, there are still some important differences to note:

1.  Reporting to the regulator can focus on the cause of the breach rather than speculate about the harm

The content of the report to the Office of the Privacy Commissioner of Canada (OPC) tracks fairly close to the content required under Alberta’s law. Perhaps as a matter of clarification more than a substantive difference, the federal Regulations specify that the report should include the “cause” of the breach if known. However, one significant difference is that organizations are not required to engage in speculation about the potential harm to individuals. This will be highly appreciated by organizations who have had to deal with Alberta’s law.

2.  Organizations must make it easy on individuals to get information or to complain

The content of the notices to individuals of a breach are also similar to those in Alberta. However, ISED has included some consumer-friendly requirements. First, individuals should have a toll-free number to contact someone who can answer questions on behalf of the organization (or an email address). Second, individuals must be informed about the organization’s internal complaint process. Finally, individuals must be advised of their right to complain to the OPC about the breach.

3.  There is flexibility with respect to the manner of reporting

The federal Regulations specifically provide that notices to individuals can be provided:

  • by email or other secure forms of communication (to which the individual has consented)
  • by letter
  • by telephone
  • in person

Moreover, organizations can opt for indirect notification (without having to pre-clear this with the OPC) if direct notification would cause harm to the individual, the cost of direct notification would be prohibitive to the organization, or the organization does not have current contact information.  Indirect notification can be made by conspicuous posting of the notice on the organization’s website for 90 days (or more) or by means of an advertisement that is likely to reach the affected individuals.

4. Record-keeping is much less onerous than feared

One difference between the Alberta law and the federal Personal Information Protection and Electronic Documents Act (PIPEDA), is that PIPEDA requires an organization to maintain a record of every breach of security safeguards even if that breach does not result in a real risk of significant harm to an individual.

The ISED has heard the concerns raised by organizations about this provision. Organizations only need to maintain records for 2 years. The form and content of the records are up to the organization provided that they contain enough information to allow the OPC to assess whether the organization was making any required reports to the OPC and required notifications to affected individuals. Since a report to the OPC containing the prescribed elements would be sufficient as a record, this appears to mean that the type of information that must be kept does not include a written assessment of the risk of harm.

Read the draft Regulations here.

, ,

Déjà Vu – Canada’s Breach Reporting and Notification Requirements

Update on Canadian Data Breach Regulations

Innovations, Science and Economic Development Canada has issued a consultation paper asking Canadians what should be included in new data breach regulations that will be made under the Personal Information Protection and Electronic Documents Act (PIPEDA). The consultation will close on May 31, 2016. Following this consultation process, the Canadian Government will publish draft regulations for public comment and further consultation. It is unlikely, therefore, that we would see breach reporting come into force in Canada before the last quarter of the year.

Why are regulations required?

Canada’s Parliament enacted the Digital Privacy Act in 2015. The Act included amendments to PIPEDA that will introduce new provisions relating to breaches of security safeguards. These provisions include mandatory breach reporting to the Office of the Privacy Commissioner of Canada (OPC) and to individuals and, in some cases, third parties. The provisions also contain controversial record-keeping requirements. These new data breach provisions will not come into force until the Government passes regulations regarding the form and content of the required notices. The Government may also supplement certain provisions in the legislation by way of regulation.

What are the key data breach obligations?

Once the amendments to PIPEDA come into force, organizations will have four new obligations regarding data breaches:

  • Organizations will need to keep records of breaches of security safeguards;
  • Organizations will be required to report a breach of security safeguards to the OPC if it is reasonable to believe that the breach creates a real risk of significant harm to an individual.
  • Organizations will be required to notify affected individuals about a breach that it is reasonable to believe creates a real risk of significant harm to the individual.
  • Organizations will be obligated to notify third parties if the third party could mitigate the risk of harm to the affected individual.

A “breach of security safeguards” is defined as “the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s safeguards that are referred to in Clause 4.7 of Schedule 1 or from a failure to establish those safeguards.” Clause 4.7 of Schedule 1 of PIPEDA is the principle that requires an organization to protect personal information by physical, organizational, and technological measures that are proportional to the sensitivity of the personal information.

What is the consultation about?

The consultation relates to five key issues.

  • Record keeping: The Government wants to know what records organizations should be required to keep and for how long.
  • Risk assessment: The Digital Privacy Act provides that an organization assessing whether there is a “real risk” of significant harm should consider the sensitivity of the personal information involved in the breach, the probability that it will be misused and other factors that could be prescribed by regulation. The Government wants to know whether further factors should be specified and whether the risk of harm should be presumed to be low for data that was encrypted.
  • Reports to the OPC: The Government has asked what should be included in reports to the OPC about a breach of safeguards that poses a real risk of significant harm to the individual. The Government has asked whether reports should be made through an electronic secure tool developed by the OPC.
  • Notices to Individuals: The Government is considering a number of issues relating to individual notices. What should the content of the notices be? How much detail should be required? How should notices be delivered? Do the notices need to be separate from other communications by the organization? When should organizations be able to give notice indirectly, such as through posts on the organization’s website?
  • Notices to Third Parties: The Government is mindful that third-parties such as law enforcement and consumer (credit) reporting agencies have a role to play in the protection of individuals from fraud and identity theft. The Government is asking whether there are circumstances that should be enumerated where reporting to third parties should be required.

What about the Province of Alberta’s regime?

The Government acknowledged that the Alberta regime for mandatory breach reporting has been in place for several years and that lessons could be learned from that province’s approach. However, the Government does not seem to be focused on ensuring that there is a harmonized system. It is possible, therefore, that we could see different types of reports and notices being required under PIPEDA than under Alberta’s law.

,

Update on Canadian Data Breach Regulations

PIPEDA Amendments In-Force

Amendments to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) are frequently proposed but just as frequently die on the order paper. Bill S-4, which proposed the most significant amendments to PIPEDA since it was enacted 15 years ago, looked to some like it might be set for a similar fate given the upcoming summer recess for Parliament and a fall election. Not so. As we reported following the vote, Parliament finally passed Canada’s Digital Privacy Act, SC 2015, c32 last week. The Act received Royal Assent on June 18, 2015, with some amendments to PIPEDA going into force immediately.

This article provides a quick summary of the major amendments that are now in force, with our take on their significance. Missing from the list are the new breach reporting and notification requirements. The requirements to keep records of breaches of security safeguards, to report these breaches to the Office of the Privacy Commissioner of Canada (OPC) and to notify individuals of breaches that affect them won’t go into force until sometime in the future. Regulations setting out the content of the mandatory reports and notifications need to be drafted. For background on the breach reporting and notification provisions, see our previous blog post.

For now, here’s what organizations should know about the amendments to PIPEDA.

Compliance Agreements (ss. 17.1 and 17.2)

The OPC is now expressly empowered to enter into compliance agreements with organizations, which can be enforced by way of an application to Federal Court.

This tool can be used by the OPC whenever the OPC believes (on reasonable grounds) that an organization has committed, is about to commit or is likely to commit an act or omission that could constitute (i) a contravention of PIPEDA or (ii) a failure to follow a recommended practice set out in Schedule 1 of PIPEDA. The compliance agreement can include any terms that the OPC negotiates with the organization.

Dentons Notes: The OPC has used this tool before but without express legislative authority. Although, this tool will be very attractive to the OPC, it is not clear what will be “in it” for an organization. There is no protection for the organization from individual actions as a result of entering into a compliance agreement. The OPC may find that organizations are only interested in agreeing to these compliance agreements when they need time to implement an OPC recommendation and the OPC requires the agreement as a condition of obtaining that additional time.

Valid Consent (s. 6.1)

Consent of an individual is only valid if it is reasonable to expect that an individual would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.

The OPC’s view is that this isn’t really a change. However, PIPEDA is now more explicit that an organization must ensure that individuals understand the risks of consenting to collection, use and disclosure of personal information.

Dentons Notes: The OPC has an additional benchmark against which to criticize privacy disclosures. Now is the time to examine your privacy disclosures to determine whether the nature, purpose and consequences of your information handling practices are clearly explained.

Business Contact Information (s. 2(1))

A new definition of “business contact information” has been added and the definition of “personal information” has been revised to refer simply to “information about an identifiable individual”.

These amendments clarify that work contact information, including an email address (which had been omitted previously), may be collected, used and disclosed without the knowledge or consent of the individual so long as the purpose is to communicate or to facilitate communication with the individual in relation to their employment, business or profession.

Dentons Notes: This is common sense. This won’t change much but does clarify that a business email address and other contact information will be personal information if it is used for purposes other than to contact an individual in the individual’s business or professional capacity. For example, a work email address being used as an ID for a personal site is still personal information. A work telephone number given to a courier delivering a package to a home address is still personal information.

Business Transactions (ss. 2(1) and 7.2)

PIPEDA now contains provisions to assist in the transfer of personal information in connection with business transactions. It applies to a broad range of transactions (e.g. asset sales, mergers, loans, securitization of assets, and leases or licences of assets) provided that the transfer of the personal information is not the primary purpose of the transaction.

PIPEDA did not have provisions that allowed organizations to share information as part of the due diligence phase of a business transaction or upon the consummation of the transaction. This provision allows for sharing, subject to certain conditions. The information must only be used and disclosed for purposes related to the transaction. The information must be safeguarded. If the transaction is not completed, the information must be returned or destroyed. If it is completed, the individual must be notified, the use must be limited to the originally identified purposes (unless additional consent is obtained) and any withdrawal of consent must be honoured. The sharing must be necessary to determine whether to complete the transaction and, if completed, to carry on the business.

Dentons Notes: This is a substantial improvement to facilitate business transactions. However, the inclusion in the provision of a test of “necessity” means that organizations are going to have to consider carefully what information is really necessary to be shared and ultimately transferred. One quibble is that the inclusion of amalgamations is out of step with corporate law. It is unclear why Parliament thought an amalgamation involved a disclosure. The most commonly accepted understanding of an amalgamation in Canada is that assets are not transferred (or, in the case of personal information “disclosed”) as part of that type of business combination. Also, the “primary purpose” exclusion is going to be difficult in some contexts where the main asset of an ongoing business is information.

 Employee Information / Employee Work Product (ss. 7(1)(b.2), 7(2)(b.2), 7(3)(e.2), 7.3)

These provisions apply to federal works, undertakings and businesses (known as FWUBs – e.g. banks, interprovincial railways, airlines, interprovincial trucking companies, offshore drilling platforms, telecommunications companies, etc.).

The amendments provide that notice, but not consent, is required for the collection, use and disclosure of personal information that is necessary to establish, manage or terminate an employment relationship between the federal work, undertaking or business and the individual.

Furthermore, the knowledge or consent of an individual is not necessary to collect, use or disclose information that is produced by the individual in the course of their employment, business or profession and the collection, use or disclosure is consistent with the purposes for which the information was produced.

Dentons Notes:  Before FWUB employers rejoice, there is still enough here to be troublesome. What is “necessary”? What is “consistent”? An employer and an employee are unlikely to agree on the scope of these “wiggle words”.

Next of Kin / Identifying a Deceased Individual (ss. 7(3)(c.1)(iv) and 7(3)(d.4)

Personal information may be shared with a government institution that requests the information for the purpose of communicating with the next of kin or authorized representative of an injured, ill or deceased individual.

Personal information may also be shared with government institutions, next of kin or authorized representatives for the purpose of identifying an individual who is deceased, ill or injured. However, the individual, if alive, must be advised of the disclosure after it has been made.

Dentons Notes: Organizations should develop policies and procedures. In the case of government requests, it is still necessary to establish the lawful authority of the institution. In the case of identifying an individual, it may be necessary to notify the individual (in writing and without delay) of the disclosure.

Financial Abuse (s. 7(3)(d.3))

An organization that has reasonable grounds to believe that the individual has been, is or may be the victim of financial abuse can make a disclosure (without the knowledge or consent of the individual) to a government institution or the individual’s next of kin or authorized representative for the purpose of preventing or investigating the abuse. It must be reasonable to expect that disclosure with the knowledge or consent of the individual would compromise the ability to prevent or investigate the abuse.

This provision responds to a perceived need, primarily in the financial services industry, for some way to get information to family members or other representatives when an organization believes an individual is subject to financial abuse. The provision has been criticized by some advocacy groups for seniors. It is expected to be used sparingly.

Dentons Notes: Policies and procedures are essential. Document all decisions to demonstrate that there were reasonable grounds to believe that there was actual or potential financial abuse and why the individual could not be approached for consent. Ensure that any disclosures are handled carefully without committing defamation, particularly when the disclosure is being made about one family member to another.

Fraud Detection and Prevention (s. 7(3)(d.2))

The knowledge or consent of an individual is not required in order to share personal information for the purposes of detecting or suppressing fraud or of preventing fraud that is likely to be committed. It must be is reasonable to expect that the disclosure with the knowledge or consent of the individual would compromise the ability to prevent, detect or suppress the fraud.

Dentons Notes: This is another area where policies and procedures will help avoid missteps. Organizations should consider entering into information sharing agreements specifying the conditions under which information will be shared.

Investigations in Breaches of Contracts or Laws (s. 7(3)(d.1))

Organizations may share information without the knowledge or consent of an individual to investigate past, occurring or potential breaches of an agreement or contraventions of the laws of Canada or a province. It must be reasonable to expect that disclosure with the knowledge or consent of the individual would compromise the investigation.

Organizations were frequently stymied in their ability to share information with one another while conducting investigations into potential wrongdoing. This provision opens the door to sharing for the purposes of the investigation.

Dentons Notes: Sharing is not mandatory. Any sharing of information should be subject to restrictions regarding how any shared information will be used and further disclosed. All decisions to disclose should be documented, including the reasons why it was reasonable to expect notice and consent would compromise the investigation.

Witness Statements in Insurance Claims (s. 7(1)(b.1), 7(2)(b.1), 7(3)(e.1))

The knowledge or consent of an individual is not necessary to collect, use or disclose information contained in a witness statement that is necessary to assess, process or settle an insurance claim.

This provision facilitates sharing of witness statements following an accident or other insured event.

Dentons Notes: This provision is primarily of interest to the insurance industry. Care will need to be given to ensure that disclosures are limited to what is necessary.

Worth the Wait?

The basic framework of PIPEDA remains intact. In many cases, the revisions to PIPEDA contained in Bill S-4 are clarifications or providing legislative authority for practices that have evolved. In other cases, such as the new sharing of information provisions to combat fraud and financial abuse or to conduct investigations are substantively new and are likely to be watched closely by the OPC to ensure that organizations use them in a measured and demonstrably defensible way. The one major change is data breach reporting and notification. However, no date has yet been set for when these provisions are going to go into force. However, because of their importance, look for our upcoming post discussing these provisions and the compliance challenges in depth.

, ,

PIPEDA Amendments In-Force

Privacy law and anti-spam: Guidance from the Office of the Privacy Commissioner of Canada

Recent enforcement under Canada’s anti-spam legislation (CASL) by the Canadian Radio-Television and Telecommunications Commission (CRTC) is keeping the spotlight on this new legislation, which came into force just last year. While the CRTC is responsible for the bulk of enforcement under CASL, organizations should remember that CASL also brought in changes to Canada’s federal privacy law,  the Personal Information Protection and Electronic Documents Act (PIPEDA), which applies to the collection, use and disclosure of personal information (including individuals’ email addresses).

The federal Office of the Privacy Commissioner of Canada (OPC) is responsible for investigating violations related to the new provisions under PIPEDA that target the practice of address harvesting. Address harvesting generally involves collecting electronic addresses through the use of a computer program, such as through web scraping, spyware, or automatic generation.

The OPC recently issued a guide and tip sheet for organizations on pratical steps to take to avoid contravening the PIPEDA requirements, including:

1. Obtain consent: Organizations must ensure that individuals are informed clearly and accurately at the point of collection about how their email addresses will be used. Just because an email address is posted online, it cannot be assumed that the individuals at the addresses posted have provided consent to receive email marketing. It is also useful to remember that there is no exception for address harvesting of business email addresses; PIPEDA’s definition of personal information includes business addresses.

2. Due Diligence with Service Providers: If an organization buys a list of email addresses from a vendor or employs service providers to conduct email marketing on their behalf, they should take due diligence steps by asking key questions, such as:

  • How was consent obtained? Appropriate consent at the time of collection must be obtained to use email addresses. Ensure that email marketing service providers utilize a clear consent process. If buying or using a list from a list vendor, were the email addresses collected through web scraping or automatic generation?
  • How is the email address list kept up to date? Unless otherwise permitted under the law, individuals should be permitted to withdraw consent to the use of their personal information at any time, such as by unsubscribing from an email list, and this functionality should be made available. Organizations that use a purchased list of email addresses should ensure that any unsubscribe requests will be communicated to them so that the email can be removed from the list that they use.

3. Maintain written records: An organization should document all email marketing compliance measures, including due diligence steps taken when contracting with a list vendor or email marketing company. Ensure that the service agreements with these organizations expressly require compliance with CASL and applicable privacy laws.

Conclusion

Organizations are responsible for ensuring that all individuals that receive email marketing from them have provided appropriate consent for the collection and use of their address for marketing . The OPC will review reports to the Spam Reporting Centre to identify email harvesters and spyware collecting personal information without consent. Organizations should take steps to comply with PIPEDA to avoid being caught by an OPC investigation, which could lead to being named in the OPC’s reports of its findings and recommendations.

, , ,

Privacy law and anti-spam: Guidance from the Office of the Privacy Commissioner of Canada

Supreme Court Issues New Interpretation Upsetting Established Protocol for Obtaining Internet Service Subscriber Information

On Friday, June 13, 2014, the Supreme Court of Canada issued a landmark decision (R v Spencer) upsetting a common interpretation of a provision of the Personal Information Protection and Electronic Documents Act (PIPEDA) that had been relied upon for many years as permitting pre-warrant disclosures of subscriber information by Internet Service Providers and other organizations in response to police requests.

The provision at issue was paragraph 7(3)(c.1) of PIPEDA, which provides that an organization may disclose personal information without the knowledge or consent of the individual if (a) the government institution (which includes law enforcement) has made a request for the information, (b) the government institution has identified its lawful authority, and (c) the disclosure falls within one of the following specified categories:

7(3) […] an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is

[…]

(c.1) made to a government institution or part of a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated that

(i) it suspects that the information relates to national security, the defence of Canada or the conduct of international affairs,

(ii) the disclosure is requested for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law, or

(iii) the disclosure is requested for the purpose of administering any law of Canada or a province;

The court concluded that the determination of whether law enforcement has lawful authority to request information without a production order or warrant depends on an analysis of whether the individual whose personal information is at issue has a reasonable expectation of privacy in that information. If the individual has a reasonable expectation of privacy in the information, law enforcement would (under current provisions of the Criminal Code) require a production order or warrant to obtain access to the information. If there is no reasonable expectation of privacy in the information, the information could be disclosed without a production order or warrant.

In coming to this conclusion, the court expressly rejected a common interpretation of paragraph 7(3)(c.1) of PIPEDA. Under that interpretation, lawful authority was law enforcement’s bona fide investigation of an offence. An organization could lawfully provide information in response to such a request. Instead, the court has affirmed that the analysis must begin with an understanding of whether there is a reasonable expectation of privacy in the information at issue. The fact that PIPEDA may permit disclosure without an order or warrant if there is no reasonable expectation of privacy is not relevant to determining whether there is a reasonable expectation of privacy in the first place.

Although the case involved access to subscriber records based on an IP address, the court’s ruling has broad implications for any organization that receives a police request for information that is not accompanied by a production order or warrant. Whether the current state of the law will remain for long is uncertain. Given the overall government agenda in Bill C-13, which is currently before Parliament, to expand the investigatory tool kit of policy, one might expect to see some dialogue between Parliament and the court on this issue.

, ,

Supreme Court Issues New Interpretation Upsetting Established Protocol for Obtaining Internet Service Subscriber Information