Office of the Privacy Commissioner of Canada (“OPC”) Reviews First Year of Mandatory Data Breach Reporting and Recordkeeping Requirements
On the first anniversary of the coming into force of the mandatory data breach reporting and recordkeeping requirements under the Personal Information Protection and Electronic Documents Act (“PIPEDA”) and its accompanying regulations, the OPC released a blog post (the “OPC Report”) on November 1, 2019 outlining its findings, which also alarmingly illustrated the privacy challenges faced by Canadian organizations. The reporting and recordkeeping requirements were reported by Carters Professional Corporation in the Charity & NFP Law Bulletin No. 429 on September 27, 2018.
As revealed in the OPC Report, 28 million Canadians were impacted by a data breach within the preceding one-year period. The OPC Report revealed that while some of the 680 breach reports received during the year came from large organizations and headline-grabbing breaches, a significant number of them were from small and medium-sized businesses, revealing the impact of data breaches on such organizations as well. A majority of the reported breached (58% of them) involved unauthorized access of personal information, with some of these incidents being a result of employee snooping, and others involving external attackers. One in four reported breaches involved external attacks, using social engineering techniques such as phishing and impersonation to gain access to personal information. The OPC Report also revealed that 12% of the reported breaches were due to the loss of a computer, other devices or paper documents, while 8% of them involved theft of computers, their components or paper documents. Accidental disclosure of personal information, such as instances where personal information was mailed or emailed to the wrong person, was the cause of 5% of the reported breaches. Overall, these statistics indicate that while privacy breaches may result from cyberattacks such as phishing, social engineering or data theft, a significant percentage of them are a result of internal organizational causes such as human error or employee snooping.
In addition, the OPC Report advised organizations to take steps to reduce privacy breaches, including: (1) understanding their data to better protect it, which means knowing what personal information they have and what is done with it; (2) assessing their vulnerabilities, which includes testing technical safeguards and looking at other risk exposures such as contracts with third party service providers and training employees on privacy risks and understanding their responsibilities; and (3) staying current with trends and breaches in their industry because attackers often use the same attacks against multiple organizations within the same industry. Lastly, the OPC Report also provided tips to organizations responding to a breach, which include starting with containment, designating someone to lead the response and investigation, and ensuring that evidence is preserved.
While the OPC Report deals exclusively with organizations subject to PIPEDA, it provides a snapshot into the privacy risks and exposures faced by all Canadian organizations. These privacy breaches may result in legal liability including class action litigation, regulatory investigations and enforcement, interruption to business, financial loss, and most importantly in the charity and not-for-profit sector, damage to reputation. Charities and not-for-profits should proactively take steps in order to reduce their risk of a privacy breach, in addition to putting in place incident response plans to guide their response to privacy breaches, if and when they occur.
Submissions Made by the Canadian Bar Association (“CBA”) on the Modernization of the Privacy Act
The CBA’s Privacy and Access Law Section, with comments from the CBA’s Aboriginal Law Section, made a submission on the modernization of the Privacy Act. The CBA submission states that the Privacy Act, which was enacted in 1982 “has not kept pace with societal and technological developments, or with parallel legislation for the private sector, most notably the Personal Information Protection and Electronic Documents Act (PIPEDA).” The CBA submission also advises that it is important to ensure that Canadians’ expectation of privacy is treated as paramount, such as through the adoption of an explicit “necessity” test during the collection, use or disclosure of personal information in the public sector. Further, the CBA submission recommends that openness and transparency of government institutions personal information protection practices should be “buttressed by minimum legislative requirements.” Government institutions should collect, use, share and secure data responsibly, in addition to having a general duty under the Privacy Act to protect personal information with safeguards that are appropriate to the sensitivity of information.
In its submission, the CBA also reinforces that the Privacy Act should provide greater certainty for Canadians, and an easy and comprehensive way for finding out when their personal information has been collected, used, shared or disclosed across government institutions. Among other things, this may be done by imposing a requirement on the government to notify individuals when their personal information has been collected, used and disclosed.
Freedom of Information and Protection of Privacy Act (“FIPPA”) Amended by the Addition of a New Part III.1 on “Data Integration”
November 4, 2019 marked the proclamation into force date of Schedule 31 of Ontario Bill 100, Protecting What Matters Most Act (Budget Measures), 2019. This schedule amends FIPPA by adding a new Part III.1 on “Data Integration”, generally allowing the Government of Ontario to create “data integration units” for the collection and use of personal information from various sources, including institutions under FIPPA. Under Part III.1 provincial agencies and ministries will be able to collect personal information indirectly from other provincial agencies and ministries, which may then be compiled and analyzed to allocate resources, and to plan and evaluate delivery of programs and services provided or funded by the Government of Ontario. In addition, the schedule amends the grounds for the disclosure of personal information by public sector organizations to law enforcement agencies.
Esther Shainblum, B.A., LL.B., LL.M., CRM practices at Carters Professional Corporation in the areas of charity and not-for-profit law, privacy law and health law.