Draft Guidance for PIPEDA’s Breach of Security Safeguards Obligations

Commencing November 1, 2018, Canada’s federal Personal Information Protection and Electronic Documents Act (“PIPEDA”) will require an organization that suffers a “breach of security safeguards” involving personal information under its control to keep prescribed records of the breach and, if the breach presents a “real risk of significant harm to an individual”, to promptly report the breach to the Office of the Privacy Commissioner of Canada (“OPC”) and give notice of the breach to affected individuals and certain other organizations and government institutions. Canadian organizations should now be taking steps to prepare for compliance. For more information, see Canadian Personal Information Security Breach Obligations – Preparing for Compliance.

On September 17, 2018, the OPC published draft guidance titled “What you need to know about mandatory reporting of breaches of security safeguards”, and a Notice inviting comments on the draft guidance. The draft guidance explains how an organization should assess whether a breach presents a “real risk of significant harm to an individual”, and encourages organizations to develop a standard framework for that assessment. The draft guidance also includes a PIPEDA breach report form, and lists the mandatory and optional information that should be included in a breach report.

My colleagues Eloïse Gratton, François Joli-coeur and I jointly submitted comments regarding the draft guidance. Our comments – which are made in our individual capacity – are limited to the guidance that a breach report must be submitted by “all organizations involved in the breach”, and the illustrative example that both an organization that collects personal information and its data processing service provider are obligated to report a breach to the OPC.

In our view, those aspects of the draft guidance are contrary to the plain language of PIPEDA’s breach of security safeguards provisions and inconsistent with the approach taken in other personal information protection regimes, and could have potentially serious adverse practical consequences.

Read our comments.

Cyber Risk Management and Privacy Protection Require More Than Technology