Norton Rose Fulbright – As privacy incidents and security breaches involving personal information become increasingly frequent, organizations are more and more aware of the importance of implementing a robust privacy program to mitigate the risks and impacts of such incidents. While this preparation is important, organizations must also consider the aftermath of a privacy incident. In this first blog post, we will discuss legal obligations and procedural considerations regarding record-keeping of privacy incidents.
Private-sector privacy statutes have varying obligations regarding maintaining records of privacy incidents.
The federal Personal Information Protection and Electronic Documents Act (PIPEDA) requires organizations to keep a record of all breaches involving personal information. Quebec’s new Act to modernize legislative provisions as regards the protection of personal information (formerly known as Bill 64, and now as the Law 25) will similarly, as of September 22, 2022, require all private sector organizations to keep a register of confidentiality incidents. Both PIPEDA and the Law 25 also indicate that these records must be provided to the Privacy Commissioner of Canada (the OPC) or the Commission d’accès à l’information (the CAI), respectively, upon request. These registers must include all incidents, regardless of whether or not the threshold for notification is met.
Other jurisdictions may also indirectly require businesses to maintain similar records, by way of other statutory requirements. For example, Alberta’s Personal Information Protection Act (the AB PIPA) grants the Alberta Information and Privacy Commissioner the power to request organizations to provide it with any additional information which it deems necessary to determine whether individuals should be notified of an unauthorized access to or disclosure of personal information. Therefore, Albertan organizations should, at the very least, keep a record of their analysis regarding the incidents notification, to be able to demonstrate the reasoning behind such decision.
Furthermore, organizations should remember the investigative powers granted to regulators. PIPEDA, Law 25, AB PIPA and British Columbia’s Personal Information Protection Act, all grant their respective privacy commissioner investigative powers regarding compliance with their respective privacy statutes. Such investigations may be conducted to ensure that an organization responded to a privacy incident appropriately and in accordance with applicable law.
Organizations should also be aware of any sector-specific record-keeping obligations they may be subject to. For example, organizations operating in the health, telecommunications or financial services industries may be required to keep a record of privacy incidents pursuant to an industry-specific statute or regulation.
Organizations also need to consider what information will be included in their record of privacy incidents. In this regard, PIPEDA’s Breach of Security Safeguards Regulation clearly outlines that such records must contain enough information to demonstrate compliance with the statutory requirements to notify the OPC and affected individuals. Law 25 indicates that the contents of the register can be determined by government regulation, which will presumably be similar to the PIPEDA requirements. Thus, organizations should minimally keep records outlining the facts of an incident and, more importantly, their analysis of whether or not notifying individuals and regulators is required under applicable laws.
Organizations should also consider how long to keep these records. The Breach of Security Safeguards Regulation provides a clear answer to this question: subject organizations need to keep a record of a breach for a period of two years following the day on which the breach occurred, as determined by the organization. That being said and as previously mentioned, organizations in regulated industries should consider any other legal obligations requiring them to keep a record for a longer period of time, or what these records should include.
Finally, organizations need to consider how their records can be accessed, given that regulatory authorities may request a copy of them. Records should be stored in such a manner that they can easily be extracted and/or communicated to external parties. Organizations that are required to comply with Law 25 may want to consider using similar technologies as those that will be used to comply with the new data portability right granted to individuals.
There may be other reasons for organizations to record their privacy incidents. In our next publication, we will discuss the business advantages of maintaining such records, including in the context of M&As and for analysis purposes.