More Privacy Regulations Are on the Way… Are You Ready?

Digital Privacy Act, SC 2015, c 32

What is the Digital Privacy Act? The Digital Privacy Act (DPA) was given Royal Assent in 2015, significantly amending the Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA is a federal Act that governs the way organizations in the private sector collect, use, and disclose the personal information of Canadians in the course of business. The amendments made by the DPA include specific language regarding consent, the powers of the Federal Privacy Commissioner, the scope of the amendments and privacy breaches.

While many amendments came into force in 2015, the regulations relating to privacy breaches were still in the developing stages. The upcoming regulations, as is the case with PIPEDA, will apply to federal works, undertakings, and businesses, and in provinces without a substantially similar private sector privacy legislation. Newfoundland and Labrador’s Personal Health Information Act (PHIA) is substantially similar to PIPEDA, but the PHIA only applies to health information custodians, who are persons in control of personal health information because of their powers, duties, or professional position. There is a second piece of Newfoundland and Labrador legislation that relates to privacy, the Access to Information and Protection of Privacy Act (ATIPPA), but it is not considered to be substantially similar to PIPEDA.

Now, just over three years after Royal Assent, the DPA regulations are ready and will come into effect on November 1, 2018. The question is… are you ready?

What are the new provisions of the DPA? The provisions of the DPA coming into force in November outline the reporting requirements that organizations must abide by if a security breach occurs. Under the regulations, organizations must notify both the affected individual and the federal Privacy Commissioner if a data breach occurs and it poses a “real risk of significant harm.” Under the DPA regulations, affected individuals must be notified as soon as it is feasible to do so, and the organization must maintain a record of the breach for a two-year period after the day the breach was discovered.

How Does the DPA Define “Significant Harm”? The DPA defines significant harm as follows:

Bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.

The DPA outlines several factors that are relevant to organizations in determining whether a real risk of significant harm has been created. These include:

(a) The sensitivity of the personal information involved in the breach;
(b) The probability that the personal information has been, is being, or will be misused; and,
(c) Any other prescribed factor.

How should affected individuals be notified? Affected individuals must be notified directly either in person, by telephone, mail, email, or by any other form of direct communication that a reasonable person would consider appropriate.

The regulations also considered situations where direct notification is not possible. In circumstances where:

(a) direct notification would likely cause further harm to the affected individual;
(b) direct notification would be likely to cause undue hardship for the organization; or,
(c) the organization does not have contact information for the affected individual
the organization must give indirect notification by public communication or an alternative, similar measure that could be expected to reach those affected individuals.

What should be included in the notifications? As previously mentioned, the DPA requires organizations to report a privacy breach to the affected person and to the Federal Privacy Commissioner.

Notification to the affected individuals must include:

(a) a description of the circumstances of the breach;
(b) the day on which, or the period during which, the breach occurred;
(c) a description of the personal information that was breached;
(d) a description of the steps the organization has taken to mitigate the risk of harm resulting from the breach;
(e) a description of the steps the affected individual can take to reduce or mitigate their risk of harm as a result of the breach;
(f) contact information that the affected individual can use to gather additional information about the breach.

Notification to the Privacy Commissioner must be in written form and must include:

(a) a description of and, if it is known, the cause of the breach;
(b) the day on which, or the period during which, the breach occurred;
(c) a description of the personal information that was compromised;
(d) the number of individuals at risk of significant harm – this may be an estimation if the exact number is unknown;
(e) a description of the steps the organization is taking to reduce the risk of harm to the affected individuals;
(f) a description of the steps that the organization is taking to notify the affected individuals; and,
(g) the contact information for a representative of the organization who can answer the Commissioner’s questions about the breach.

What are the Penalties for Non-Compliance with the new provisions of the DPA? Enforcement of the DPA regulations will fall to the Federal Privacy Commissioner who is responsible for providing oversight and investigating complaints under PIPEDA. In cases of willful and deliberate contravention of the DPA requirements, new offences and fines have been imposed by the DPA. As is the case with similar offences under PIPEDA, courts may impose those fines and order organizations to change their practices if they are not compliant.

Counting Down to November 1st… The DPA regulations will come into effect on November 1st. Organizations should review the materials published online by the Office of the Privacy Commissioner regarding voluntary reporting of data breaches and update their policies and procedures accordingly to ensure compliance.