Released Sept. 2, the proposed regulations relate to provisions in Canada’s Personal Information Protection and Electronic Documents Act, which are not yet in force.
Lawyers working in the area of cybersecurity, privacy and data management have anticipated the proposed regulations.
“There’s no marked departure from global standards,” says Kirsten Thompson, a partner in McCarthy Tétrault LLP’S national technology group in Toronto, adding that a similar regime already exists in Alberta.
Under PIPEDA, organizations will be required to notify affected individuals of any “real risk of significant harm” to them resulting from a breach of security of their personal information. Organizations must also report to the Office of the Privacy Commissioner of Canada as soon as possible regarding any data breach which poses such a breach.
The privacy legislation creates an obligation to safeguard information with measures appropriate to the sensitivity of the information. The regulations are flexible enough that each company can decide what its own solutions are, Thompson says; yet having a principle-based system means there are grey areas: “there’s flexibility, but not certainty.”
Tamara Hunter, who practises in the areas of freedom of information and privacy law with DLA Piper (Canada) LLP in Vancouver, says two aspects of the proposed regulations caught her attention. The first was that indirect notification to individuals may be given in circumstances including when the cost of giving direct notification is prohibitive for the organization.
“From the point of view of small- to medium-sized businesses, that would be appropriate,” says Hunter, adding that some consumer groups may lobby to have that removed from the regulations.
The second item is where the company does give notification to affected individuals, the proposed regulations say that the company has to tell individuals they can make a complaint to the privacy commissioner.
“The regulations in Alberta only require businesses to give contact information for someone at the organization, to answer questions. They don’t say, you can make a complaint to the commissioner,” Hunter says. “I’m not sure that’s necessary.”
One concern for businesses may be the record-keeping obligations imposed by the proposed regulations, says Thompson, which require records of breaches to be kept for 24 months after the day on which the organization determines the breach has occurred, and notes that a report made to the Office of the Privacy Commissioner may be used by the organization as its “record of the breach.”
“If you’re a company or business, you don’t want to satisfy the record-keeping obligation only to find out that it may be used [against you] in court at some point,” Thompson says.
There is also the potential for delays in individuals being notified of breaches to their security, she adds. In Alberta, organizations must notify the privacy commissioner first of a breach of personal information, and the individual then makes a determination of risk of individual harm, and can then order a company to notify individuals. As time passes, the ability of affected individual to take prompt action to protect themselves is compromised by that regime, she says, and there’s a concern that the federal commissioner may get similarly bogged down.
The positive effects may outweigh any negatives, though. “Organizations will have to become more transparent about breaches of information security when they happen,” says Hunter, and “consumers will be made more aware.
“What follows from [these regulations] is that organizations now have an obligation to prevent these breaches from happening in the first place,” Hunter adds. “That’s largely a function of senior management commitment to information security, and making sure they have the right mechanisms in place, technologically and operationally, so they’re doing spot checks and audits to make sure people are following the policies they should be following, and creating a culture of privacy and information protection within the organization.”