Posted: January 28, 2016
Written by: Andrew Buck
(Un)Happy Data Privacy Day!
If you're responsible for managing your organization's privacy compliance, you might be of the view that there's nothing particularly happy about data privacy. Two recent high profile privacy breaches in Winnipeg (click here and here for news reports) remind us that privacy requires a 365-days'-a-year commitment.
What's interesting is how organizations respond to privacy breaches. In Manitoba, public sector organizations and organizations who handle health information are not legally required by our privacy statutes to report privacy breaches. However, the Manitoba Ombudsman's office recommends reporting, as "a positive action [which] demonstrates that the public body or trustee considers the protection of personal and personal health information to be an important and serious matter."
Private sector Manitoba businesses are subject to the Personal Information Protection and Electronic Documents Act (or PIPEDA). As with our Manitoba privacy laws, PIPEDA also doesn't require privacy breach reporting. In practice, then, this often raises a careful cost-benefit weighing by an organization which has suffered a privacy breach - to report, or not to report? There are good reasons for both sides of the equation.
All of that will soon change, however.
PIPEDA has been amended by the Digital Privacy Act. While those amendments are mostly now in force, we're still waiting for the federal government to finalize regulations which will define the contours of PIPEDA's pending mandatory privacy breach reporting obligations. Once those regulations are published, we can expect a short grace period, for businesses to operationalize their reporting procedures. But make no mistake - it's only a matter of when, not if, mandatory privacy breach reporting will become the law.
Some of the finer points are to be addressed in the regulations, but if you haven't already, your business should be considering a strategy to address the following questions:
- Who needs to notify?
- When does the obligation to notify arise?
- To whom must notification be given?
- When does the notification need to be sent?
- What needs to be said in the notification?
- What kind of privacy breach records need to be kept?
Fortunately, we're not without guidance. Some Canadian jurisdictions already have mandatory privacy breach reporting laws in place, and privacy regulators have published best practices standards. These standards, together with guidance material which may yet be published by our privacy regulators, should provide needed direction and support.