Privacy Breaches – Do You Have To Say Anything?

By Preston I.A.D. Parsons

With the recent, high-profile Facebook data breach scandal making headlines across the globe, privacy and the extent to which technology may be collecting, using, and disclosing our personal information without our knowledge or consent is once again on people's minds.

In many ways, Canadian privacy laws have struggled to keep up with the times. Rapid developments in technology are undoubtedly the key contributor to this, but the divide in tech-literacy between a younger generation of users quickly adopting new technology and an older generation of politicians drafting laws is surely another reason why legislative updates lag in this area. For a recent viral case-in-point from our neighbours down south, read here:

One of the areas where Canada's privacy laws have lagged significantly to date is mandatory breach notifications where a corporation improperly discloses an individual's personal information. If a company operating in Canada learns that there has been an unauthorized disclosure of personal information, do they have to say anything to the affected individual? Are they entitled to hold onto knowledge of that breach internally, or are there legal obligations that require a company to report to the affected individuals about the unauthorized disclosure?

As it turns out, in Canada, it depends what jurisdiction you are in, and what sector you work in. For the purposes of this newsletter, we examine the breach notification requirements, or lack thereof, for entities situated in British Columbia ("BC"), both in the private sector and the public sector.

Public Sector employers in BC that fall under provincial legislation are required to follow the Freedom of Information and Protection of Privacy Act, R.S.B.C. 1996, c. 165 [FIPPA]. By contrast, federal government institutions located in BC are subject to the Federal Privacy Act, R.S.C. 1985, c. P-21. Private Sector employers in BC are subject to the Personal Information Protection Act, S.B.C. 2003, c. 63 [PIPA], assuming they fall squarely within provincial jurisdiction. Federal employers located in BC that are not subject to FIPPA are subject to the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 [PIPEDA]. None of these pieces of legislation impose mandatory breach notification requirements at present.

The Privacy Commissioners have issued guidelines on when an organization "should" report a privacy breach to an affected individual, and companies would do well to understand these and heed them. Generally speaking, companies should notify affected individuals of the unauthorized disclosure of their personal information if it is necessary to avoid or mitigate harm to them. Timely notification may allow individuals to avoid identify theft, fraud, risk of physical harm, reputational damage, and more. Companies that react swiftly and advise affected individuals that they are doing everything they can to contain the breach and prevent another will retain more goodwill with affected individuals and the public at large than those who react poorly or slowly, or demonstrate a lackadaisical attitude to privacy, which opens affected individuals up to a greater risk of harm.

If your business is subject to PIPEDA, mandatory breach notification will soon be upon you as of November 1, 2018. On that date, certain sections of PIPEDA will come into force, resulting in specific obligations to notify affected individuals of the unauthorized disclosure of their personal information. Generally speaking, this comes into play where it is reasonable to believe the breach creates a real risk of significant harm to the individual. "Significant harm" is defined as including "bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property." What constitutes a "real risk" is not defined.

With the new amendments to PIPEDA coming into force this fall, it begs the question of whether PIPA will continue to govern the private sector in BC given that in order for it to apply, it must be "substantially similar" to PIPEDA. Without amendments, it is arguable that PIPEDA will be found to apply instead of PIPA to the BC Private Sector. Our neighbour, Alberta, has already updated its Personal Information Protection Act, R.S.A. 2003, c. P-6.5 to include mandatory breach notification obligations so amendments here in BC are inevitable.

Given the very real risks of harm that can come from the unauthorized disclosure of personal information, both to the individual and to the company, it is prudent to seek legal advice to understand your business' privacy law obligations, to put a plan in place for negative contingencies, and to seek guidance on the status of your obligations in the face of a(n) (inevitable) breach.