New demands under privacy act could pose some challenges

Most new requirements ushered in by the Canadian Digital Privacy Act (DPA) are very helpful and provide a fix, but a number could pose some challenges, including maintaining a record for every breach, John Beardwood, a partner with Fasken Martineau LLP, said last week during an event in downtown Toronto.

“The requirement that you maintain a record of every breach,” Beardwood told attendees of Insurance Bureau of Canada’s 15th Annual Regulatory Affairs Symposium, “that could be somewhat problematic. You’re going to have a very close relationship with your IT folks.”

The DPA, which amends the federal Personal Information Protection and Electronic Documents Act (PIPEDA), received Royal Assent this past June. Although revisions are extensive, new recording obligations are among a number of changes that merit additional attention, Beardwood suggested.

An organization is required to maintain a record of every breach of security safeguards involving personal information under its control, he pointed out. And this demand applies beyond breaches that meet the threshold test – namely where it is reasonable in the circumstance to believe that the breach creates a real risk of significant harm to an individual, notes a slide from his presentation.

The definition of “significant harm” is broad and includes, among other things, bodily harm, humiliation, damage to reputation or relationships, financial loss and identity theft.

Breach provisions are triggered by a “breach of security safeguards” – defined as the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s PIPEDA security safeguards or failure to establish those safeguards.

Beardwood called it is a very high-level standard, which was conscious, because the idea was that as technology evolves, the legislation would not get out of date.

“The problem is that by having a more amorphous standard as a basis for triggering breach requirements is difficulty in proving” that, in fact, the standard was met, he suggested to attendees. “Security safeguards are just so broadly constructed that it’s hard to say whether you met that standard or not.”

“Companies are being subject to various cyber security events,” Beardwood said. If the requirement is “to keep a record of every one of those,” he recommended that companies speak with their chief information officers to ensure all records of incidents that could potentially affect personal information are maintained. “If you don’t, that’s one of the two new offences.”

Where the threshold test is met, a presentation slide notes, the DPA imposes the requirement to report the breach to the Office of the Privacy Commissioner (OPC) and also to notify the subject individual of such breach.

“The problem with this threshold, by having the same threshold for both, is that it encourages organizations to find the threshold test hasn’t been met so they don’t have to report to the commissioner,” Beardwood said.

An earlier recommendation from the Canadian Bar Association (CBA) had been to “keep them separate so the individual – that’s who we care about is the individual – always receives notification and they can mitigate their risk,” he said. “But now, of course, it’s the same threshold so the company has to take both of those factors into account.”

A very real concern is that the federal commissioner “does not have the resources to deal with reports of every privacy breach,” Beardwood said, “so to open the floodgates makes no sense.”

In addition, an organization must notify other organizations if it believes these other organizations may be able to reduce the risk of/mitigate the harm that could result from that breach or if any of conditions to be prescribed are satisfied.

“This is potentially a significant obligation requiring notification of a potentially wide range of third parties, in particular where there is a potential for identity theft,” notes a presentation slide.

Another concern, as noted by CBA, is that by requiring an organization to outline the potential harms that result from the breach, “that effectively you’re providing a lay-up for privacy litigation counsel.”

The good news is that, currently, the revised act “does not require the assessment of harm,” Beardwood told symposium attendees. His presentation notes that the OPC, absent any regulation, has posted online a form of privacy breach incident report citing the following:

• requires report on estimated number and type of individuals affected, but
• does not requirement assessment of the risk of harm to individuals as a result of the loss or unauthorized access or disclosure.

There are also issues with timing, Beardwood noted, pointing out that an organization is required to make such a report as soon as feasible after the organization determines that the breach has occurred. Just how long this is remains unclear, but it needs to be long enough for an organization to complete its root cause analysis of the privacy breach, he emphasized.

The hope is that regulations under the DPA do not cement some of the challenges and concerns, Beardwood suggested.

More coverage of IBC’s 15th Annual Regulatory Affairs Symposium

Consumer-based approach key, consolidation a potential threat to making Ontario auto insurance market competitive

Understanding consumer view key to meeting expectations: Forgeron