The New Mandatory Data Breach Requirements under Canada s Federal Privacy Act

Similar documents
A Compendium of Canadian Legislation Respecting the Protection of Personal Information in Health Research. Canadian Institutes of Health Research

ASSESSING CAPACITY IN CANADA: CROSS-PROVINCIAL EXAMINATION OF CAPACITY LEGISLATION

Privacy and the Workplace. David T.S. Fraser The Canadian Institute May 2007

INDEX. A Access and correction requests, see also Access to and correction of personal information. .. Part 8 of the Act, 115

Legal Considerations Regarding the Use of Electronic Contracts and Signatures. Ravi Shukla Fogler, Rubinoff LLP

INDEX. A Access and correction requests, see also Access to and correction of personal information. .. Part 8 of the Act, 110

2017 REVIEW OF THE FREEDOM OF INFORMATION AND PROTECTION OF PRIVACY ACT (FIPPA) COMMENTS FROM MANITOBA OMBUDSMAN

MANITOBA FREEDOM OF INFORMATION AND PROTECTION OF PRIVACY RESOURCE MANUAL

DATA MATCHING AGREEMENTS ACT 1 B I L L

Territorial Mobility Agreement

Five Year Review of the Personal Information Protection and Electronic Documents Act (PIPEDA)

Nestlé Canada Inc. Privacy Policies and Practices April 13, 2012

OFFICE OF THE INFORMATION & PRIVACY COMMISSIONER for Prince Edward Island. Order No. PP Re: Elections PEI. March 15, 2019

PROVINCIAL AND TERRITORIAL BOARDS

1.1.3 Notice of Memorandum of Understanding with the China Securities Regulatory Commission MEMORANDUM

Privacy and Access in British Columbia

GLAHOLT LLP CONSTRUCTION LAWYERS

Review of Trespass Related Legislation

c t CHANGE OF NAME ACT

PEl Government Introduces Long-Awaited Lobbying Law - Strong Enforcement, but Many Gaps. Includes rare exemption for lawyers who lobby

The Duty to Assist: A Comparative Study

Form F5 Change of Information in Form F4 General Instructions

2. Home 3. Knowledge 4. PEl Reintroduces Lobbying Law: Strong Enforcement, Fewer Gaps than Previous Bill

Youth Criminal Justice in Canada: A compendium of statistics

IN THE QUEEN'S BENCH JUDICIAL CENTRE OF REGINA. -and-

February 23, Dear Ms. Ursulescu, Re: Legislative Model for Lobbying in Saskatchewan

Supreme Court of Canada

Who's in Charge Here? Information Privacy in a Social Networking World

MAY 2013 This presentation was made possible by the generosity of

Chinese Immigration to Canada

Outline. David T.S. Fraser (

FORM F4 REGISTRATION INFORMATION FOR AN INDIVIDUAL

PIPEDA and Your Practice

National Mobility Agreement

2ND SESSION, 41ST LEGISLATURE, ONTARIO 66 ELIZABETH II, Bill 114. An Act to provide for Anti-Racism Measures

FERTILIZER CANADA BUSINESS PRINCIPLES AND CODE OF CONDUCT

canadian udicial conduct the council canadian council and the role of the Canadian Judicial Council

Promoting Regulatory Excellence

Electronic Signatures

2016 Lobbyists Act Legislative Review. Recommended Amendments to the Alberta Lobbyists Act and the Lobbyists Act General Regulation

Canadian Policing. by Stephen Easton and Hilary Furness. (preliminary: Not for citation without permission, Nov. 2012)

FREEDOM OF INFORMATION AND PROTECTION OF PRIVACY POLICY

B I L L. No. 30 An Act to amend The Freedom of Information and Protection of Privacy Act

Commodity Futures Legislation

Appendix A to National Instrument General Prospectus Requirements. Schedule 1 Part A

NEWFOUNDLAND AND LABRADOR OFFICE OF THE INFORMATION AND PRIVACY COMMISSIONER

ELECTRONIC DATA PROTECTION ACT An Act to provide for protection to electronic data with regard to the processing of electronic data in Pakistan

CHARITY LAW BULLETIN NO.65

Form F3A. Personal Information Form and Authorization of Indirect Collection, Use and Disclosure of Personal Information

City of Kingston Report to Administrative Policies Committee Report Number AP

ADULT CRIMINAL COURT STATISTICS, 1999/00

PRESENTED BY FCJ Refugee Centre. Supported by Law Foundation s Access to Justice Fund

REQUEST FOR BIOGRAPHICAL INFORMATION

Privacy Law Update. David Goodis, Assistant Commissioner, Information & Privacy Commissioner of Ontario)

PERSONAL INFORMATION PROTECTION ACT

CONSUMER REPORTING ACT

Form F3A Personal Information Form and Authorization of Indirect Collection, Use and Disclosure of Personal Information

The Health Information Protection Regulations

Food Donation and Civil Liability in Canada. placeholder REDUCING WASTE AND RECOVERING FOOD IN CANADA

PRINCE EDWARD ISLAND POPULATION REPORT 2017

SASKATCHEWAN OFFICE OF THE INFORMATION AND PRIVACY COMMISSIONER REPORT F Saskatchewan Workers Compensation Board

Introductory Guide to Civil Litigation in Ontario

The Liberal Party of Canada. Constitution

REQUEST FOR BIOGRAPHICAL INFORMATION

1. Where is your company located? Please check all that apply.

MUTUAL FUND DEALERS ASSOCIATION OF CANADA PROPOSED AMENDMENTS TO MFDA RULE (CONTENT OF ACCOUNT STATEMENT)

FORM F4 REGISTRATION OF INDIVIDUALS AND REVIEW OF PERMITTED INDIVIDUALS (section 2.2)

3RD SESSION, 41ST LEGISLATURE, ONTARIO 67 ELIZABETH II, Bill 14. An Act with respect to the custody, use and disclosure of personal information

Report to Convocation February 25, Interjurisdictional Mobility Committee

Form F5 Start-up Crowdfunding Funding Portal Individual Information Form

Tech, Culture and Inclusion: The Cultural Access Pass and the Role of Arts and Culture Participation for Canada s Newest Citizens

Toward Better Accountability

Definitions The following terms have these meanings in this Policy: a. Act Personal Information Protection and Electronic Documents Act;

NEWFOUNDLAND AND LABRADOR OFFICE OF THE INFORMATION AND PRIVACY COMMISSIONER

REQUEST FOR BIOGRAPHICAL INFORMATION

2009 Bill 205. Second Session, 27th Legislature, 58 Elizabeth II THE LEGISLATIVE ASSEMBLY OF ALBERTA BILL 205

General Comments. 1. Several commenters noted the importance of maintaining consistency in drafting with current securities legislation.

Access to Information and Protection of Privacy Act

P July 14, 2011

Privacy Law Update. Ontario Connections: Access, Privacy, Security & Records Management Conference, June 7, 2016

Licensing and Standards Committee Item LS23.1, adopted as amended, by City of Toronto Council on December 5, 6, 7 and 8, 2017 CITY OF TORONTO

2017 Bill 214. Third Session, 29th Legislature, 66 Elizabeth II THE LEGISLATIVE ASSEMBLY OF ALBERTA BILL 214

What is Confederation?

NOTICE MUTUAL RELIANCE REVIEW SYSTEM MEMORANDUM OF UNDERSTANDING

The Capital Markets Act - A Revised Consultation Draft

Dunn Library Subscription Changes

Toward a New Legal Profession Act Policy Paper

IN THE SUPREME COURT OF CANADA (ON APPEAL FROM THE COURT OF APPEAL FOR MANITOBA)

DRAFT OMBUDSMAN ACT FOR THE NORTHWEST TERRITORIES

PUBLIC ATTITUDES TOWARD THE CRIMINAL JUSTICE SYSTEM

Demographics. Chapter 2 - Table of contents. Environmental Scan 2008

Juristat Article. The changing profile of adults in custody, 2006/2007. by Avani Babooram

IMMIGRATION Canada. Study Permit. Lima Visa Office Instructions. Table of Contents IMM 5833 E ( )

Parliamentary Information and Research Service. Legislative Summary BILL C-3: INTERNATIONAL BRIDGES AND TUNNELS ACT

Proposed Amendments to Section 35 (No actions against the Corporation) of MFDA By-Law No. 1 MUTUAL FUND DEALERS ASSOCIATION OF CANADA

A Legal Overview of the Data Protection Act By: Mrs D. Madhub Data Protection Commissioner

OFFICE OF THE INFORMATION & PRIVACY COMMISSIONER for Prince Edward Island. Order No. FI Re: Department of Finance.

1 HB By Representative Williams (P) 4 RFD: Technology and Research. 5 First Read: 13-FEB-18. Page 0

REGULATION VARIANCES OR EXEMPTIONS

Judges Act J-1 SHORT TITLE INTERPRETATION. "age of retirement" of a judge means the age, fixed by law, at which the judge ceases to hold office;

Transcription:

The New Mandatory Data Breach Requirements under Canada s Federal Privacy Act Lisa R. Lifshitz, Partner, Torkin Manes LLP Prepared for the Cyberspace Law Committee Meeting ABA Business Law Spring Meeting, Orlando April 12, 2018 (updated April 18, 2018) TORKIN MANES LLP

Agenda Quick Overview of Canada s Privacy and Data Protection Regulatory Framework Mandatory Data Breach Requirements Today Amendments to PIPEDA, the Digital Privacy Act, and the New Data Breach Regulations 2

Regulatory Framework (Private Sector-Federal) In Canada the collection, use and disclosure of personal information is governed by a number of federal and provincial laws - which law applies to an organization will depend upon where it is located and the industry that the organization is engaged in. The federal Personal Information Protection and Electronic Documents Act ( PIPEDA ) regulates the collection, use and disclosure of personal information in the course of a commercial activity in much of the private sector. Personal information is broadly defined in PIPEDA - includes any information about an identifiable individual, whether public or private, with limited exceptions. commercial activity means any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists. PIPEDA applies to the personal information of employees of, or an applicant for employment with, FWUBS - federal works, undertakings and businesses. 3

Regulatory Sector (Private Sector-Federal) Examples of FWUBs in Canada include airlines, banks, ferries, broadcasting, inter-provincial railways, interprovincial or international trucking, shipping or other transportation, aviation, banking, nuclear energy, activities related to maritime navigation, and radio stations. PIPEDA also applies to all personal information that flows across provincial or national borders in the course of commercial transactions. PIPEDA applies to all private sector organizations regulated by provinces that do not have substantially similar private sector privacy legislation that collect, use or disclose personal information in the course of their commercial activities. PIPEDA will not apply in provinces with privacy legislation that is substantially similar to it. Currently, only Alberta, British Columbia and Québec. Manitoba s Personal Information Protection and Identity Theft Prevention Act received Royal Assent but is not yet in force. PIPEDA does apply to federal works, undertakings or businesses that operate in those provinces, including employees of FWUBs. 4

Regulatory Sector (Private Sector-Federal) Organizations that operate inter-provincially are required to deal with both provincial and federal privacy legislation. All Canadian privacy legislation, including PIPEDA, reflects the following ten principles, derived from the Organization for Economic Cooperation and Development Guidelines created in the early 1980 s: (1) accountability, (2) identifying purposes, (3) consent, (4) limiting collection, (5) limiting use, disclosure, and retention, (6) accuracy, (7) safeguards, (8) openness, (9) individual access, and (10) challenging compliance. All four principle private-sector statutes apply similar principles to comply with these legal obligations. The principles (i) mandate that personal information may only be collected, used or disclosed with the knowledge and consent of the individual; (ii) limit the collection of personal information to what is necessary for identified purposes; and (iii) require that personal information be collected by fair and lawful means. 5

Just a word about the public sector Canadian provinces, territories and municipalities also have their own public sector privacy legislation. Lots of statutes! See: the Freedom of Information and Privacy Protection Act, R.S.A. 2000, c F-25 (Alberta), Freedom of Information and Protection of Privacy Act, R.S.B.C. 1996, c 165 (BC), Freedom of Information and Protection of Privacy Act, C.C.S.M. c F175 (Manitoba), Personal Health Information Privacy and Access Act, S.N.B. 2009, c P-7.05, replacing the Protection of Personal Information Act, S.N.B. 1998, c P-19.1 (New Brunswick), Access to Information and Protection of Privacy Act, S.N.L. 2002, c A-1.1 (Newfoundland), Freedom of Information and Protection of Privacy Act, S.N.S. 1993, c 5 (Nova Scotia), Freedom of Information and Protection of Privacy Act, RSO 1990, c F-31 (Ontario), Freedom of Information and Protection of Privacy Act, RSPEI 1988, c F-15.01 (Prince Edward Island), An Act respecting Access to documents held by public bodies and the Protection of personal information, RSQ, c A-2.1 (Quebec), Freedom of Information and Protection of Privacy Act, S.S. 1990-91, c F- 22.01 (Saskatchewan), Access to Information and Protection of Privacy Act, R.S.Y. 2002, c 1 (Yukon), Access To Information And Protection Of Privacy Act, S.N.W.T. 1994, c 20 (Northwest Territories) and Access To Information And Protection Of Privacy Act, S.N.W.T. (Nu) 1994, c 20 (Nunavut). Note that the so-called MUSH sector - municipalities, universities, schools and hospitals - may be covered by the above legislation so please verify which acts apply! 6

PIPEDA Principles re Data Protection Organizations are responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. (Principle 4.1.3). The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by third parties. (Principle 4.1.3). Organizations that collect, use or disclose personal information are required to provide security for that information that is appropriate when considering its sensitivity. (Principle 4.7) In creating safeguards for personal information, PIPEDA obligates organizations to implement physical measures, organizational measures and technological measures to ensure adequate safety. Physical data protection mechanisms may include restricting access to secure locations. Organizational data protection measures will include ensuring that only certain personnel have access, or the access keys, to personal information. Technological measures will include data encryption, passwords and access keys. 7

PIPEDA Principles re Data Protection The extent to which each of these protection methods is required will vary with the sensitivity of the information in question; more sensitive information will require greater protection and vice versa. The European Commission has to date recognized PIPEDA as providing adequate data protection for the purpose of transferring European personal data to Canada but given the new stringent EU General Data Protection Regulation requirements coming into force in May how much longer will this last? 8

Data Breach Notification - Alberta In 2010 Alberta became the first province to require mandatory data breach notification in the private sector. Alberta has a mandatory security breach reporting requirement that applies to all private sector organizations within the province. [Section 34.1] Employees covered as well. The Alberta PIPA requires organizations to notify the Alberta Privacy Commissioner ( OIPC ) in instances where personal information is lost, accessed, or disclosed without proper authorization. This reporting obligation will arise only where the breach results in a real risk of significant harm to the individuals affected. APC has interpreted the significant harm threshold to be met where the breach presents a material harm; it has non-trivial consequences or effects. Examples may include possible financial loss, identity theft, physical harm, humiliation or damage to one s professional or personal reputation. Any such risk must be real, not merely speculative or hypothetical or theoretical. 9

Penalties - Alberta Failure to report to the OIPC is a contravention of PIPA. Per Section 59(2): A person who commits an offence under subsection (1) is liable, in the case of an individual, to a fine of not more than $CDN10,000; and in the case of a person other than an individual, to a fine of not more than $CDN100,000. 10

Amendments to PIPEDA The Digital Privacy Act and Data Breach Regulations To date, data breach reporting under PIPEDA was voluntary although encouraged by the Federal Commissioner, especially for significant breaches. Perceived by all as an inadequate remedy with no teeth and there were very few incidents reported. In June 2015, PIPEDA was amended by the enactment of the Digital Privacy Act ( DPA ). Pursuant to a March 26, 2018 Order in Council (Order In Council 2018-0369), sections 10 (dealing with Breaches of Security Safeguards ), 11, 14, 17(1), 17(4), 19, and 22 to 25 will all come into force on November 1, 2018. The Breach of Security Safeguards Regulations ( Regulations ) were published in the Canada Gazette on September 2, 2017 and were subject to a period of public comment. As stated in the March 26, 2018 Order In Council (Order In Council 2018-0368), the final text of the Regulations was published on April 18, 2018. Accordingly, it is anticipated that the final Regulations also will come into force on November 1, 2018. 11

Breaches of Security Safeguards Reporting and Notification Requirements Division 1.1 Breaches of Security Safeguards New definition: breach of security safeguards means the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization s security safeguards that are referred to in clause 4.7 of Schedule 1 or from a failure to establish those safeguards. Who must be notified? The Regulator (Office of the Privacy Commissioner of Canada) Organizations shall report to the Privacy Commissioner of Canada ( Commissioner ) a breach of security safeguards involving personal information under its control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual (s.10.1(1)) When? The report shall contain the prescribed information and shall be made in the prescribed form and manner as soon as feasible after the organization determines that the breach has occurred. (s. 10.1(2)) 12

Notification Requirements Individuals Unless otherwise prohibited by law, an organization shall notify an individual of any breach of security safeguards involving the individual s personal information under the organization s control if it is reasonable in the circumstances to believe that the breach creates a real risk of significantharm to the individual. (s. 10.1(3)) When? The notification shall be given as soon as feasible after the organization determines that the breach has occurred. (s.10.1(6)). What has to be in it? The notification shall contain sufficient information to allow the individual to understand the significance to them of the breach and to take steps, if any are possible, to reduce the risk of harm that could result from it or to mitigate that harm. It shall also contain any other prescribed information. The notification shall be conspicuous and shall be given directly to the individual in the prescribed form and manner, except in prescribed circumstances, in which case it shall be given indirectly in the prescribed form and manner. 13

Notification Requirements Anybody else? Other organizations if the risk of harm can be reduced. An organization that notifies an individual of a breach of security safeguards under subsection 10.1(3) shall notify any other organization, a government institution or a part of a government institution of the breach if the notifying organization believes that the other organization or the government institution or part concerned may be able to reduce the risk of harm that could result from it or mitigate that harm, or if any of the prescribed conditions are satisfied. (s. 10.2(1)). When? The notification shall be given as soon as feasible after the organization determines that the breach has occurred (s.10.2(2)). 14

What is Significant Harm? For the purpose of this section, significant harm includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property. The factors that are relevant to determining whether a breach of security safeguards creates a real risk of significant harm to the individual include: the sensitivity of the personal information involved in the breach; the probability that the personal information has been, is being or will be misused; and any other prescribed factor. 15

Disclosure Without Consent PIPEDA further amended to allow for disclosure of personal information without the knowledge and consent of the individual New Section 10.2(3) confirms these additional exceptions: In addition to the circumstances set out in subsection 7(3), for the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual if the disclosure is made to the other organization, the government institution or the part of a government institution that was notified of the breach under subsection (1); and the disclosure is made solely for the purposes of reducing the risk of harm to the individual that could result from the breach or mitigating that harm. 16

Data Breach Notification to the Commissioner The Regulations (s. 2) list the minimum requirements of what must be contained in the written notification or report to the Commissioner, including: a description of the circumstances of the breach and, if known, the cause; the day on which, or the period during which, the breach occurred or, if neither is known, the approximate period; a description of the personal information that is the subject of the breach to the extent that the information is known; the number of individuals affected by the breach, or, if unknown, the approximate number; a description of the steps that the organization has taken to reduce the risk of harm to affected individuals that could result from the breach or to mitigate that harm; a description of the steps that the organization has taken or intends to take to notify each affected individual of the breach in accordance with subsection 10.1(3) of the Act; and the name and contact information of a person who can answer, on behalf of the organization, the Commissioner s questions about the breach. 17

Data Breach Notification to the Commissioner New Information (2) An organization may submit to the Commissioner any new information referred to in subsection (1) that the organization becomes aware of after having made the report. Means of Communication (2) The report may be sent to the Commissioner by any secure means of communication. 18

Data Breach Notification to an Individual The Regulations (s.3) list the minimum requirements of what must be contained in any notification to any affected individuals, including: a description of the circumstances of the breach; the day on which, or period during which, the breach occurred or, if neither is known, the approximate period; a description of the personal information that is the subject of the breach to the extent that the information is known; a description of the steps that the organization has taken to reduce the risk of harm that could result from the breach; a description of the steps that affected individuals could take to reduce the risk of harm that could result from the breach or to mitigate that harm; and contact information that the affected individual can use to obtain further information about the breach. 19

Security Breaches Direct or Indirect Notification Direct notification must be given to the affected individual: in person, by telephone, by mail, by email; or any other form of communication that a reasonable person would consider appropriate in the circumstances.(s. 4 of the Regulation) Indirect notification must be given by an organization in any of the following circumstances if: (s.5): direct notification would be likely to cause further harm to the affected individual; direct notification would be likely to cause undue hardship for the organization; or the organization does not have contact information for the affected individual. 20

Security Breaches Direct or Indirect Notification Indirect notification may be given to affected individuals in the following manner: by public communication; or by similar measure that could reasonably be expected to reach the affected individuals. (s. 5(2)). It is unclear how the indirect notification carve-out will be interpreted and applied considering that it puts the onus on the aggrieved party to take active steps to find out about the breach. Organizations may be tempted to rely on public communications to avoid the considerable cost of individual notification, but it is uncertain whether it will actually be reasonable to rely on public communication. 21

New Obligation to Keep Records of Breaches Organizations must also maintain a record of every breach of security safeguards involving personal information under its control for 24 months after the day on which the organization determines that the breach has occurred (s. 6(1) of the Regulations). Organizations must be prepared to provide access to, or a copy of, the record if requested by the Privacy Commissioner of Canada (s. 10.3(2)). The record must be sufficiently detailed to enable the Commissioner to verify compliance with sections 10.1(1) and (3) of PIPEDA (s. 6(2) of the Regulations). 22

Penalties Not quite the GDPR but from a Canadian perspective a significant shift in approach. Offence and punishment If an organization violates the mandatory reporting of breaches of security safeguards or the requirement to maintain records of any breaches or obstructs the Commissioner or the Commissioner s delegate in the investigation of a complaint or in conducting an audit, that organization is guilty of: an offence punishable on summary conviction and liable to a fine not exceeding $CDN10,000; or an indictable offence and liable to a fine not exceeding $CDN100,000. (s. 28) 23

How do these changes impact U.S. organizations? U.S. organizations which have a substantial connection to Canada should revisit their existing corporate data breach/breach of security safeguards policies to ensure they at least minimally dovetail with the proposed changes in legislation. Canadian courts have held that PIPEDA has extraterritorial application to foreign organizations involved in the collection, use or disclosure of personal information in Canada including through the offer and provision of services to Canadians Lawson v. Accusearch Inc. (c.o.b. Akiba.com), [2007] F.C.J. No. 164 T.(A.) v. Globe24h.com, [2017] F.C.J. No. 96). Organizations which are subject to PIPEDA will have to report such incidents and keep records of such incidents. Consider the impact on existing security incident/data breach policies, outbound/inbound vendor and customer contracts, records retention requirements & other corporate documents. 24

Questions? Thank You! Lisa R. Lifshitz, Partner, Torkin Manes LLP Phone 416-775-8821 Email llifshitz@torkinmanes.com Torkin Manes LLP 151 Yonge Street, Suite 1500 Toronto, ON M5C 2W7 www.torkinmanes.com

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback