Privacy Commissioner Provides Comment Regarding Proposed Breach of Security Safeguards Regulations

On October 2, 2017, the Office of the Privacy Commissioner of Canada (OPCC) sent a letter to the Department of Innovation, Science and Economic Development regarding the proposed Breach of Security Safeguards Regulations that are proposed to be enacted pursuant to the Personal Information Protection and Electronic Documents Act. E-TIPS^® Newsletter previously reported on the draft regulations being published in the Canada Gazette here.

The OPCC’s letter focuses on recommendations for the content of data breach reports and data breach record keeping requirements. The OPCC also commented on the time frame for bringing the new regulations into force, but stated only that it should be earlier than the 18 month period suggested by some other stakeholders.

The OPCC suggests that reports that are to be submitted to the Privacy Commissioner in the event of a data breach should include:

• a report on the state of relevant security safeguards implemented by the organization;
• an assessment of the risk of harm caused by the breach;
• a list of third party organizations that were notified of the breach; and
• a description of measures that have been or will be taken to mitigate the risk of harm to individuals.

The OPCC also suggests that the record keeping requirement for any data breach should be increased from 24 months to 60 months, and should include records detailing:

• the date of the data breach;
• a general description of the circumstances of the data breach;
• the nature of information involved in the data breach; and
• a summary and conclusion of the organization’s risk assessment of the data breach.

Summary By: Michael House