Privacy officers have less than two weeks to advise the federal privacy commissioner what kind of guidance it should offer organizations on the new mandatory data breach notification rules that come into effect Nov. 1.
The Office of the Privacy Commissioner of Canada (OPC) said Monday it has set an Oct. 2 deadline to hear back from the public on the proposed draft guidance it issued earlier this year to help businesses that are overseen by the federal Personal Information Protection and Electronic Documents Act (PIPEDA) comply with the new law.
Because the new rules involve some interpretation — and because companies face fines if they don’t comply — for many businesses the advice from the privacy commissioner may be vital. This is especially true for small businesses that don’t have full-time legal counsel.
Starting Nov. 1 organizations covered will have to report to affected persons as well as to the OPC “breaches of security safeguards” on personal information if there is a “real risk of significant harm” resulting from the breach.
So organizations will want to know what is a breach of a security safeguard, and how will they define a real risk of significant harm (already reduced to the acronym RROSH by privacy pros) to a person.
In its proposed guidance the OPC notes that not all breaches have to be reported, only those where it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual. Significant harm, says the guidance (and the law), includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.
That may seem straightforward. But what is real risk of significant harm? The guidance that must be determined based on an assessment of the sensitivity of the personal information involved in the breach and the probability the personal information has been/is/will be misused.
What’s the definition of “sensitive personal information.” Some information — date of birth, credit card number, passport number — is obviously sensitive. But other information will depend on the context, says the guidance. It points out that PIPEDA’s principles give an example: The names and addresses of subscribers to a newsmagazine would generally not be considered sensitive information. However, the names and addresses of subscribers to some special-interest magazines might be.
As for evaluating the probability of stolen data misuse, the guidance offers a number of questions an organization can ponder, such as how long the data has been exposed, is there evidence of malicious intent, was the exposure accidental and therefore unlikely to be misued.
The guidance also offers advice on how fast a breach should be reported (as soon as feasible even if not all information is available) and the way it should be reported.
Whether all this advice is clear enough is what the OPC wants to know.
“We are seeking feedback on what we’ve included in the draft guidance and reporting form because want to help businesses comply with the new mandatory breach reporting requirements,” OPC spokesperson Tobi Cohen said in an email. “Our aim is to assist businesses, so we feel it is important to get their feedback on our advice as they may have ideas on what is and isn’t helpful.
“Keep in mind as well that this is the final phase of a lengthy process. As we developed our guidance, we were mindful of comments provided by stakeholders during Iinnovation,Science and Economic Development Canada ’s extensive consultations on the regulations. We now wish to hear final comments on the specifics of our guidance.”
The OPC’s final guidance will be ready by Nov. 1st.