Privacy Law Update

November 2019 Charity & NFP Law Update

One Year Anniversary - OPC Reviews the First Full Year of Mandatory Data Breach Reporting and Recordkeeping Requirements 

November 1, 2019 marked the one-year anniversary of the coming into force of mandatory data breach reporting and recordkeeping requirements under the Personal Information Protection and Electronic Documents Act (“PIPEDA”) and accompanying regulations (previously reported in Charity & NFP Law Bulletin No. 429). In appropriate recognition of this milestone, the Office of the Privacy Commissioner of Canada (“OPC”) released a blog post (the “OPC Report”) outlining its findings from the first full year of mandatory data breach reporting and providing an alarming snapshot of the privacy challenges faced by organizations in Canada.

The OPC Report revealed that, in a single one-year period, a shocking 28 million Canadians were impacted by a data breach. While some of 680 breach reports received by the OPC during the year arose from large organizations and headline-grabbing breaches, the OPC Report pointed out that a significant number of reports came from small- and medium-sized businesses, which are also impacted by data breaches. The bulk of the reported breaches – 58% – involved unauthorized access to personal information. Some unauthorized access incidents resulted from employee snooping, while others (one in four reported breaches), involved external attackers using social engineering techniques such as phishing and impersonation to gain access to personal information. 12% of reported breaches were due to the loss of a computer, other devices or paper documents while 8% involved the theft of documents, computers or computer components. 5% of reported breaches were due to accidental disclosure of personal information, such as situations in which personal information was mailed or emailed to the wrong person. The OPC Report statistics indicate that, while privacy breaches can result from cyber-attack incidents, such as phishing, social engineering and data theft, a significant percentage of breaches arise from internal organizational causes such as human error or employee snooping.

The OPC Report advised organizations to take steps to reduce privacy breaches including: (1) understanding their data so they can protect it – this means knowing what personal information they have and what they do with it; (2) assessing their vulnerabilities – testing their technical safeguards as well as looking at other risk exposures, such as contracts with third party service providers and their employees’ training and understanding of their responsibilities; and (3) staying on top of current trends and breaches in their industry, as attackers often use the same attacks against multiple organizations. The OPC Report also provided some tips to organizations that are responding to a breach, including to start with containment, designate someone to lead the response and investigation, and ensure that evidence is preserved.

Although the OPC Report deals exclusively with organizations subject to PIPEDA, it provides a snapshot of the privacy risks and exposures facing all organizations in Canada. Privacy breaches can result in legal liability, including class action litigation, regulatory investigations and enforcement, business interruption, financial loss and, perhaps most important in the charity and not for profit sector, reputational damage. Charities and not for profits should be proactively taking steps to reduce their risk of a privacy breach as well as putting in place incident response plans to guide their response to a privacy breach if and when it occurs.

Canadian Bar Association Submissions on Privacy Act Modernization

In response to discussion papers issued by Justice Canada in June 2019, the Canadian Bar Association’s (“CBA”) Privacy and Access Law Section, with comments from the CBA Aboriginal Law Section, made a submission on the modernization of the Privacy Act. The CBA submission makes clear that the Privacy Act, which was enacted in 1982, “has not kept pace with societal and technological developments, or with parallel legislation for the private sector, most notably the Personal Information Protection and Electronic Documents Act (PIPEDA).” As such, in order to modernize the Privacy Act, the CBA highlights the importance of ensuring that Canadians’ expectation of privacy is treated as paramount, for example, through adopting an explicit “necessity” test when collecting, using or disclosing personal information in the public sector. The CBA also recommends that openness and transparency of government institutions in their personal information protection practices be “buttressed by minimum legislative requirements.” Data should be collected, used, shared and secured responsibly, with the government institutions having a general duty under the Act to protect personal information with safeguards appropriate to the sensitivity of information.

The CBA also reinforces that the Act should provide greater certainty for Canadians and an easy and comprehensive way for finding out when their personal information is collected, used, shared and disclosed across government institutions by, among other things, imposing a requirement on the government to notify individuals of any such collection, use and disclosure of their personal information.

Read the November 2019 Charity & NFP Law Update