November 6, 2018
New data breach notification requirements went into effect across Canada on November 1st. Here’s a quick overview.
The amendments to PIPEDA – the Personal Information Protection and Electronic Document Act – are an outgrowth of the Digital Privacy Act of 2015 (Bill S-4). The changes are expected to provide social, economic, and public security benefits while aligning Canadian breach notification requirements more closely with those of the European Union’s General Data Protection Regulations (GDPR). Since many Canadian organizations already comply with GDPR requirements, a large number of them will already have the infrastructure in place to comply with the new rules.
The objectives of the regulations are to ensure:
- all Canadians receive consistent information about data breaches that pose a risk of significant harm
- data breach notifications contain sufficient information to enable individuals to understand the significance and potential impact
- the Office of the Privacy Commissioner receives consistent and comparable information about data breaches that pose risk of significant harm
- the Commissioner is able to provide oversight and verify that organizations are complying with the notification requirements
- data breaches are reported and consistent records are maintained.
Since most Canadian provinces had no formal breach notification legislation in place prior to November 1st, citizens of those provinces are now covered under the national rules. Provinces that had regulations in place are now covered by the national regulations to ensure consistency.
What’s covered under the new law?
Under the new law, service providers are required to notify the data controller if and when there is any incident that may potentially expose Personally Identifiable Information (PII). The Office of the Privacy Commission of Canada has released these guidelines for organization subject to PIPEDA:
Under the new regulations for organizations subject to PIPEDA must:
- Report any breach of security involving personal information safeguards to the Privacy Commissioner’s office, where the breach creates a “real risk of significant harm;”
- Notify individuals affected by a breach of security safeguards where there is a real risk of significant harm;
- Keep records of all breaches of security safeguards that affect the personal information under their control; and
- Keep those records for two years.
Financial penalties for non-compliance are expected.
The organization that collects personally identifiable information on its employees, customers, or others is responsible for reporting any breach, even if that breach involves the actions of a third-party to whom they’ve entrusted the information for transmission, processing, storage, or destruction.
This means that the principal organization must ensure sufficient contractual arrangements are in place to ensure compliance, notification, and record-keeping that meet the minimum breach provisions covered under PIPEDA.
How does breach notification impact asset end-of-life?
Naturally the potential for a data breach doesn’t end until PII is erased from data-bearing devices or those devices are destroyed. A prudent organization will ensure appropriate procedures are in place to protect data from the moment an asset goes into service until the point at which the data is erased or the device destroyed.
When working with an IT Asset Disposition partner, consider which data sanitization and/or destruction methods are most appropriate for your needs and ensure you have detailed procedures to cover taking devices out of service and securing them through the hand-off to your ITAD partner.
You may, for example, choose to have your ITAD provider come to your locations to perform onsite data erasure or drive destruction to ensure PII is eradicated before any assets leave your facility. Alternately, you may choose to have your provider transport your equipment in a secure truck to their processing center for erasure or destruction.
Regardless of which approach you choose, include language in your contract that clearly states how and how quickly your ITAD provider should notify you if there’s any concern about chain-of-custody – e.g., a laptop that cannot be located – and ensure your partner provides a Certificate of Data Destruction for every device.