The Office of the Privacy Commissioner of Canada (OPC) this week introduced a series of videos and other resources to help businesses address breaches, and follow breach record-keeping obligations and other legal requirements.
As part of the breach record-keeping obligations, which became mandatory on November 1, 2018, businesses subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) are required to report to the OPC breaches of security safeguards involving personal information that pose a real risk of significant harm to individuals. Business must also notify affected individuals about those breaches, and keep records of them.
In its 2019 breach record inspections, the OPC says it engaged with seven telecommunications companies as a first on-the-ground assessment of the state of compliance with these obligations and found that in general, the telecommunications industry has record-keeping systems in place and the companies it visited appeared to be taking their obligations seriously. At the same time, the Office observed key areas where opportunities for improved compliance are evident.
The OPC notes on its website that 40 per cent of sample records about breaches did not include sufficient information for the Office to adequately understand the organization’s assessment of whether the breach created a Real Risk of Significant Harm (RROSH). The review revealed that organizations need to enhance their assessment and recording of information about how they assessed RROSH.
“Importantly, breach records need to include details that can explain the basis for the organization’s RROSH assessment, particularly in cases where the breach did not create an RROSH. This information should be included in breach records as this will allow the OPC to verify compliance with breach reporting and notification requirements in PIPEDA,” the OPC says.
The Office has therefore developed a series of six videos to help businesses understand what breach reporting is, how they can assess the risks of significant harm, business obligations for reporting breaches, how they can submit an effective breach report, when and how they should notify organizations and people, and how they can keep all necessary records.
The OPC says these videos have been designed to help businesses open up a discussion with their staff on what they should do to protect the personal information of customers, clients, and their own employees and ensure the business is prepared in the event of a breach. Additional information related to breaches and other privacy issues is available in a suite of guidance documents aimed to help businesses. A breach reporting portal that allows businesses to submit their breach reports and receive a file number to facilitate future communication about the report, was also included in this week’s OPC care package.