On March 4, 2016, Innovation Science and Economic Development Canada (ISED) published a discussion paper on data breach notification and reporting regulations under the Personal Information Protection and Electronic Documents Act (PIPEDA) and invited interested parties to submit comments on the options identified in the document by May 31, 2016.
The aim of the discussion paper was to invite input and views on how the Government of Canada should design these data breach regulations. The paper outlined each area where the Government has the authority to make regulations, and invited stakeholders to respond to specific questions pertaining to key issues in each area. This document is a summary of the responses received.
ISED thanks all respondents for their valuable contribution to the development of PIPEDA's data breach regulations. A further opportunity to comment will be provided with the publication of draft regulations in the Canada Gazette, Part I.
Amendments to the Personal Information Protection and Electronic Documents Act
On June 18, 2015, the Digital Privacy Act (also known as Bill S-4) received Royal Assent. The Digital Privacy Act made a number of important changes to PIPEDA to strengthen privacy protection, streamline rules for business and increase compliance.
Among the changes made by the Digital Privacy Act is the establishment of mandatory data breach reporting requirements. These obligations are set out in Division 1.1 of PIPEDA, which is not yet in force. In summary, organizations that experience a data breach—referred to in PIPEDA as “a breach of security safeguards”—must:
- determine if the breach poses a “real risk of significant harm” to any individual whose personal information was involved in the breach;
- notify individuals as soon as feasible of any breach that poses a “real risk of significant harm”;
- report any data breach that poses a “real risk of significant harm” to the Privacy Commissioner, as soon as feasible;
- where appropriate, notify any third party that the organization experiencing the breach believes is in a position to mitigate the risk of harm; and
- maintain a record of the data breach and make these records available to the Privacy Commissioner upon request.
The Government has the authority to make regulations to provide greater clarity and specificity with respect to PIPEDA's data breach reporting requirements. This includes the authority to set out the form and content of notifications and reports, additional factors to be considered in the determination of risk and details on record-keeping requirements, as well as other elements. The new data breach requirements will not come into force before the Government makes final regulations.
All respondents to the request for submissions welcomed the opportunity to comment on the design of data breach notification and reporting regulations. The majority of respondents are in favour of regulations in some of the areas outlined in the discussion document, in order to provide more certainty around the new obligations for regulated organizations.
An overriding theme that permeates responses in all areas is the need for maximum flexibility. Respondents underline concerns about overly prescriptive regulations, and express a desire to be able to adapt requirements to the particular circumstances surrounding the breach, existing business processes, and established communication practices.
Another theme is the desire for harmonization with data breach reporting requirements in other jurisdictions, in particular the existing guidelines for voluntary notification of the Office of the Privacy Commissioner of Canada (OPC), and the Alberta regulations under the Personal Information Protection Act (PIPA).
One respondent expresses concerns with the general approach to data breach notification and reporting established by the Digital Privacy Act, and calls for it to be set aside in favour of a different model whereby all breaches are reported to the Privacy Commissioner who then determines when individuals must be notified.
Factors for Determining “Real Risk of Significant Harm”
Respondents are split on the issue of whether or not regulations should identify additional risk factors to determine if a breach constitutes “real-risk of significant harm”, with a small majority in favour of identifying additional factors, including the actions taken by the organization to mitigate the risk posed by a breach; the degree of malicious intent of the data breach; and the nature of the relationship between the affected individuals and breached organization (e.g. employees or customers).
The remaining respondents are of the view that the factors already identified in the legislation are sufficient to guide an assessment of risk. In its response posted on its website, the OPC states that “the Act already captures the key elements that organizations would need to consider in making their risk determination” and suggests that additional assistance to organizations be provided in guidance material as opposed to regulations.
On the issue of encryption, a large majority of respondents support confirming, in regulations, that the risk to individuals resulting from a breach can be presumed low in circumstances where appropriate encryption has been used. The OPC holds an opposing view stating that, while encryption plays a role in reducing harm associated with a breach, its use cannot necessarily be equated with a low risk of harm, given that there are other considerations that influence its effectiveness, such as whether or not the encryption key has also been compromised.
Report to the Privacy Commissioner
Most respondents support prescribing, in regulations, the minimum information to be included in a breach report to the Privacy Commissioner, and are in favour of aligning requirements with those of the existing OPC voluntary reporting form. The OPC itself also proposes that the report include details of the organization's relevant security safeguards, such as any improvements made to protect against the risk of a similar breach occurring in the future.
On the question of whether to include in the report the organization's assessment of the risk of harm resulting from a breach, respondents are again split. Those that are against such a requirement state that it would be difficult and burdensome for many organizations to comply with it, especially small or medium-sized enterprises, and that much of the analysis would amount to speculation. On the other hand, those that support including such an assessment argue that it would help individuals understand the significance of the breach. In addition, the OPC argues that the assessment would allow the OPC to determine if organizations are over-reporting or over-estimating the risk of harm.
With regards to providing updates on breach reports to the OPC as new or additional information becomes available, all respondents call for a flexible framework. They acknowledge the need to inform the OPC about known data breaches “as soon as feasible”, but warn that not all information about a breach will be immediately available and that regulations should allow an organization to update a report to the Privacy Commissioner where deemed necessary, for example, where there are material changes to the information.
Form and Manner
All respondents are supportive of providing a written report to the Privacy Commissioner, although several suggest that organizations be given flexibility with respect to how a report is made. For example, some would prefer the option of making an initial report by telephone, followed by a more detailed written report.
Most respondents are in favour of using an online portal for breach reporting, citing its ease of use and the potential for better data security. In particular, the need for confidentiality in the handling of breach reports is underlined by some respondents, given that reports may contain sensitive business and strategic information. However, some argue that the use of a portal should be optional, and that it should be compatible with standard business technology.
Notification to Individuals
Respondent positions vary on the issue of whether regulations should specify the required content of notifications to individuals. They are either of the opinion that the statutory requirementFootnote 1 is sufficiently clear, or that prescribing a limited list of mandatory content (e.g. core or minimum requirements) would be helpful. However, there is general agreement that if content needs to be specified in regulations, it should align with the existing requirements for reporting in Alberta and the OPC guidelines for voluntary notification. Additional proposals include prescribing that notifications provide information on actions that an affected individual can take to mitigate harm from the breach, and the use of simple language to ensure that notifications are understandable to the average reader.
Form and Manner
All respondents on this issue are of the view that regulations should provide as much flexibility as possible with regards to how organizations may notify affected individuals. As it pertains to direct notification, a small majority prefer clear and explicit requirements, i.e., that telephone, letter, email and in-person notification be permitted forms of direct notification. Others, however, are of the view that regulations should take a more expansive, technology-neutral approach and permit any form of direct communication that has been established and agreed to by the individuals. They argue that in an era of evolving communication technologies, prescribing an exhaustive list would soon lead to regulations being out-of-date, and that some organizations only hold certain types of contact information about customers. Some respondents point to the Alberta data breach reporting regulations which are silent on the means of notification to individuals.
Several respondents advocate for prescribing restrictions on the use of certain forms of communication for direct notification. For example, when notification is provided verbally, the organization should maintain a written log of the communication; and when notification is conducted by telephone, it should be made to the affected individual, not to an alternate individual or voicemail.
Some propose using performance-based criteria to restrict the selection of a communication method. For example, the chosen method of notification should not result in an increased risk of harm to the individual, and organizations should find out which method of communication is preferred by the individual for important notifications.
The OPC agrees with this view, stating that regulations should permit the use of a wide variety of communication methods, and that instruction to organizations on the selection of methods could be provided in guidance material.
With regards to indirect communication, the vast majority of respondents on this topic prefer a technology-neutral and non-exhaustive approach in regulations, allowing discretion so that organizations can determine the ideal method of communication under the given circumstances. In addition to traditional media broadcasting and website postings, respondents propose allowing indirect notification via social media, web portals, on-premise signage, and mobile applications.
A few respondents propose additional requirements around indirect notification. For example, such notifications should be posted for a sufficient length of time, and the communication method should be relevant to the type of product or service and appropriate to the nature of the interaction between the consumer and organization.
Commenting on the need to prescribe conditions where indirect notification may be undertaken, respondents are generally supportive of the OPC guidelines and the Alberta regulations in this area, i.e., where direct notification could cause further harm, where the contact information is not known or is insufficient, or where direct notification is cost prohibitive. On the latter point, most respondents are of the view that organizations are best placed to determine the cost level that they can accommodate, taking into account the size of the breach and the resources at their disposal. However, a few call for clear thresholds and even a definition of “prohibitive cost” in the regulations.
Notification to Third Parties
As to the question of prescribing circumstances where notification to other organizations is mandatory, a majority of respondents are of the view that organizations should have full discretion, arguing that existing contractual arrangements with partners and suppliers are in place for such a purpose, and that the context of each individual breach will determine the need for third parties to be informed.
Others are of the view that regulations should identify specific circumstances that trigger the requirement to inform third parties, such as law enforcement agencies and credit bureaus. The OPC suggests that no further conditions be prescribed in regulations, stating that assistance to organizations can be provided in guidance material.
On the issue of data breach record-keeping requirements, respondents have differing views as to whether or not regulations should address the contents of a record. Many express concerns related to the administrative burden imposed by record-keeping, and the risk that extensive record-keeping may prejudice an organization in legal proceedings.
Of those in favour of regulating the content of a breach record, several propose specific data elements for inclusion in the report for the purpose of clarity and consistency. Others propose a performance-based approach, such as prescribing that a breach record must contain information that is sufficient to demonstrate due diligence in the tracking of breaches and in conducting risk assessments. One respondent proposes that the record contain sufficient information to satisfy the Privacy Commissioner that an internal investigation of the breach was conducted and a determination made that a full report to the Privacy Commissioner was not required.
In its submission, the OPC indicates that the content of these records should help the regulator understand an organization's process of risk assessment, stating that the record should include sufficient information to demonstrate compliance with the notification requirements and enable the OPC to perform its oversight functions. More specifically, the OPC states that records should include the date (or estimated date) of the breach, a description of the circumstances surrounding the breach, the nature of the personal information involved, and a summary of the organization's risk assessment.
The majority of respondents commenting on the issue of a mandatory retention period for records are of the view that records should be made available to the OPC for two years. However, several propose a longer retention period of five to six years, in line with requirements for tax records.
There is a general agreement among respondents that regulations should be silent on where the responsibility for data breach reporting lies within an organization, and that those regulations should clarify that a breach report made to the OPC may also satisfy the record-keeping requirement, at the discretion of the organization.
There is also a majority view on the need to clarify in regulations that record-keeping only applies to situations where the organization has actual knowledge of a breach, and that record-keeping should be permitted to take the form of periodic summaries. However, the OPC disagrees on these two points, suggesting there is a risk that restricting record-keeping to incidents where there is actual knowledge of a breach may prove to be a disincentive to implementing breach detection measures. The OPC also states a preference for all breaches to be documented on an individual, non-aggregated basis.
Several respondents call for a transition period between the publication of the final regulations and their coming into force, providing adequate time for organizations to implement any necessary changes to information management systems, and to train employees. Proposed transition times range from 6 to 18 months.
Public Access to Reports
A few respondents raise concerns about public access to data breach reports. In particular, they advocate that reports to the Privacy Commissioner be held in confidence by the OPC, given that they may contain proprietary information, and that only the OPC be permitted to disclose information obtained from data breach reports in an anonymized and aggregated basis.
It should be noted that the Digital Privacy Act amends the Access to Information Act (ATIA) to create a statutory exemption to the disclosure of any data breach record or data breach report in response to an access to information request.Footnote 2 This amendment to the ATIA will come into force with PIPEDA's other data breach notification and reporting provisions found in Division 1.1 of PIPEDA.
Some respondents note that the Digital Privacy Act is silent on the issue of who is responsible for undertaking reporting and notification in the event of a data breach at a service provider, and propose that regulations clarify roles and responsibilities in the context of a principal-agent relationship.
During previous consultations on the development of legislative amendments to PIPEDA for data breach notification and reporting, it was generally agreed among stakeholders that the concept of control already established under the Accountability principle of PIPEDA is sufficient for the purpose of determining responsibility for a breach notification requirement under PIPEDA. In other words, for situations involving a breach occurring in the context of a principal-agent relationship, the responsibility for data breach notification and reporting would lie with the organization in control of the data.
Consistent with the Accountability principle, the term “control” does not necessarily equate to “custody”, but instead refers to overall responsibility for the personal information. On this basis, a third-party processor or agent may have temporary custody of personal information, but under the Accountability principle, control rests with the principal organization. For example, in the case of a bank contracting the services of a processor for payment processing, the bank would be responsible for the notification even if the data breach occurred at the third party. In many cases, this will be the same organization that maintains an ongoing information relationship with the individual and assumes all of the related data protection obligations under PIPEDA.
There may be circumstances where notification by an organization other than the one having control of the information may be appropriate. For example, in the event of a data breach at a small retail merchant involving credit card information, the credit card issuer may be involved in providing the notice to individuals since the merchant may not have the necessary contact information. It is generally agreed by stakeholders that such an arrangement or understanding would need to be captured in contractual arrangements.
Feedback obtained during the consultation will inform the development of draft data breach notification and reporting regulations pursuant to Division 1.1 of PIPEDA (not yet in force). Draft regulations will be published in the Canada Gazette, Part I, for further comment. Views and opinions on draft regulations will be reflected in a final regulatory proposal to be published in the Canada Gazette, Part II.
ISED would like to thank all those who have contributed to this consultation.