Data Breaches, Mandatory Reporting & What Businesses Need to Know about PIPEDA

Recently, Innovation, Science and Industry Minister Navdeep Bains and Heritage Minister Steven Guilbeault were mandated by Prime Minister Justin Trudeau to work on a “digital charter” that would include legislation to give Canadians “appropriate compensation” when their personal data is breached. It’s not clear when the legislation will be introduced, or what compensation could potentially be made available, but the current Federal government seems adamant that such legislation would include punitive fines for those found guilty of breaching personal data.

It seems more and more commonplace to hear about data breaches within Canadian businesses. Statistics Canada says that about 57 percent of Canadians online reported experiencing a cyber-security incident in 2018.

Just last month, the medical services company LifeLabs reported that information related to about 15 million customers, mainly in B.C. and Ontario, may have been accessed during a massive data breach. Other large scale data breaches that have made recent headlines include Desjardins Group and Capital One. All of these breaches have triggered class-action lawsuits.

On November 1, 2018, businesses operating in Canada became subject to new mandatory breach reporting regulations under Canada’s federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (“PIPEDA”). Prior to the new mandatory breach reporting regulations, data breach reporting to the Office of the Privacy Commissioner of Canada (the “OPC”) was done on a voluntary basis.

The OPC recently reported that they have seen the number of data breach reports skyrocket since reporting became mandatory. Since November 1st, 2018, the OPC reported that it had received 680 breach reports, equating to six times the volume received during the same period in the previous year. The number of Canadians affected by data breaches is estimated to be well over 28 million.

According to the OPC, while some of the reports involve well-known corporate entities (like the ones highlighted above), there has also been a significant amount of data breach reporting coming from small and medium-sized businesses. As such, this blog post serves as a primer to some of the basic information all organizations subject to PIPEDA should know.

Who is subject to PIPEDA?

PIPEDA applies to private-sector organizations across Canada that collect, use or disclose personal information in the course of commercial activity. All businesses that operate in Canada and handle personal information that crosses provincial or national borders are subject to PIPEDA, regardless of the province or territory in which they are based.

The law defines a commercial activity as any particular transaction, act, or conduct, or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists. However, unless they are engaging in commercial activities that are not central to their mandate and involve personal information, PIPEDA does not generally apply to not-for-profit and charity groups or political parties and associations.

How does PIPEDA Interact with Provincial Privacy Laws?

Alberta, British Columbia and Quebec have their own private-sector privacy laws that have been deemed substantially similar to PIPEDA. Organizations subject to a substantially similar provincial privacy law are generally exempt from PIPEDA with respect to the collection, use or disclosure of personal information that occurs within that province. Ontario, New Brunswick, Nova Scotia and Newfoundland and Labrador have also adopted substantially similar legislation regarding the collection, use and disclosure of personal health information.

In cases where organizations operate in multiple provinces, it is commonplace for the OPC to collaborate with their provincial counterparts in investigations following data breaches. For example, on July 8, 2019, the Commission d’accès à l’information du Québec and the OPC announced they would be collaborating in investigating the privacy breach involving Desjardin Group.

What is Personal Information?

Under PIPEDA, personal information includes any factual or subjective information, recorded or not, about an identifiable individual.

This includes information in any form, such as:

  • age, name, ID numbers, income, ethnic origin, or blood type;
  • opinions, evaluations, comments, social status, or disciplinary actions; and
  • employee files, credit records, loan records, medical records, the existence of a dispute between a consumer and a merchant, and personal intentions.

It is important for organizations subject to PIPEDA to consider what may constitute personal information. For example, a Windsor grocery store recently came under media scrutiny for its anti-shoplifting methods.  In addition to posting photos of alleged shoplifters on a large wall with the word “thief” written under the pictures, the grocery store also plays videos of alleged thieves on a large, public-facing television screen. The Office of the Privacy Commissioner of Canada has commented before that photographs or video imagery can constitute personal information. An argument can be made that the grocery store would need the individuals’ consent before disclosing it to the public.

There are, however, some clear instances where PIPEDA does not apply. Some examples include:

  • business contact information such as an employee’s name, title, business address, telephone number or email addresses that is collected, used or disclosed solely for the purpose of communicating with that person in relation to their employment or profession
  • an individual’s collection, use or disclosure of personal information strictly for personal purposes (e.g. personal greeting card list)
  • an organization’s collection, use or disclosure of personal information solely for journalistic, artistic or literary purposes

Fair Information Principles under PIPEDA

Organizations subject to PIPEDA must follow the 10 fair information principles to protect personal information, set out in Schedule 1 of the Act:

1. Accountability

An organization is responsible for personal information under its control. It must appoint someone to be accountable for its compliance with these fair information principles.

2. Identifying Purposes

The purposes for which the personal information is being collected must be identified by the organization before or at the time of collection.

3. Consent

The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.

4. Limiting Collection

The collection of personal information must be limited to that which is needed for the purposes identified by the organization. Information must be collected by fair and lawful means.

5. Limiting Use, Disclosure, and Retention

Unless the individual consents otherwise, personal information can only be used or disclosed for the purposes for which it was collected. Personal information must only be kept as long as required to serve those purposes.

6. Accuracy

Personal information must be as accurate, complete, and up-to-date as possible in order to properly satisfy the purposes for which it is to be used.

7. Safeguards

Personal information must be protected by appropriate security relative to the sensitivity of the information.

8. Openness

Organizations subject to PIPEDA must make detailed information about its policies and practices relating to the management of personal information publicly and readily available.

9. Individual Access

Upon request, an individual must be informed of the existence, use, and disclosure of their personal information and be given access to that information. An individual must be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

10. Challenging Compliance

An individual must be able to challenge an organization’s compliance with the above principles.

Mandatory Reporting of Data Breaches

Organizations subject to PIPEDA are required to report to the OPC any breaches of security safeguards involving personal information that pose a real risk of significant harm to individuals. Failure to report a data breach can result in fines of up to $100,000.

Real risk of significant harm is determined based on the sensitivity of the personal information involved in the breach and the probability that the personal information has been, is being or will be misused. Organizations subject to PIPEDA also need to notify affected individuals about those breaches.

Some Best Practises to Reduce Privacy Breach Risks

While there’s no need to report a breach to the OPC that does not present a real risk of significant harm, organizations subject to PIPEDA must maintain a record of every breach that occurs within the organization, and keep those breach records for a minimum of two years. The OPC has the authority to proactively inspect those records.

Organizations subject to PIPEDA should always know what personal information they possess, where it is stored, and what the information will be used for.

Organizations should review where they are potentially vulnerable. Organizations should conduct risk and vulnerability assessments and penetration tests to ensure that threats to potential breaches of personal information are identified. Such a risk and vulnerability assessment should focus on both technical and other vulnerabilities. Organizations should also ensure that their employees aware of risks and their privacy responsibilities.

In addition, organizations should be aware of breaches within their industry. Hackers often re-use the same attacks against multiple organizations. Pay attention to alerts and other information from your industry association and other sources of industry news.

What to do if you Experience a Data Breach 

First and foremost, an organization that experiences a data breach should take all reasonable steps to contain the breach. This may include stopping the unauthorized practice, recovering the records, shutting down the system that was breached, revoking or changing computer access codes and correcting weaknesses in physical or electronic security.

As a general matter, it is recommended that the organization designate someone to lead the initial breach investigation. This individual should have appropriate authority and knowledge to conduct the initial investigation and make initial recommendations. If necessary, a more detailed investigation may subsequently be required.

Organizations should also determine who needs to be made aware of the incident internally, and potentially externally, at this preliminary stage. The breach should be escalated internally as appropriate, including informing the person within the organization that is responsible for privacy compliance. Organizations must be careful not to destroy evidence that may be valuable in determining the cause or allow the organization to take appropriate corrective action.

If the breach involves personal information and poses a real risk of significant harm to individuals, organizations must inform themselves of their obligations under PIPEDA, which includes reporting to OPC and notifying affected individuals. 

Finally, organizations that are dealing with a data breach may find it particularly beneficial to contact a legal professional knowledgeable in the area of privacy. Doing so early in the process can ensure that your organization takes the necessary corrective action.

If you or your business has concerns about a possible data breach, Duncan, Linton LLP can help. Do not hesitate to reach out and speak with one of our lawyers. Contact us online or call 519-886-3340 to make an appointment.