PIPEDA Privacy Breach Notification Regulations Published for Comment
The draft privacy breach regulations under PIPEDA have just been published. They are open for comment for 30 days.
These regulations detail the mechanics of notifying the Privacy Commissioner and individuals when there is a privacy breach. PIPEDA was amended some time ago to require mandatory notification when there is a breach that results in “real risk of significant harm”. Those provisions will come into force after the regulations are passed.
The draft regulations are about what were expected. They are similar to those under Alberta privacy legislation.
I agree with David Fraser’s view that section 4(a) that says notification to individuals can be sent “by email or any other secure form of communication if the affected individual has consented to receiving information from the organization in that manner” is uncalled for. A notice of this nature is not spam, and it does not make sense to require that an individual has given consent for communication in that manner to notify of a privacy breach. These notifications are for the benefit of the individual, so why make it harder for organizations to send it?
The amendments and regulations have provisions requiring organizations to keep records of all privacy breaches, including information that allows the Privacy Commissioner to determine if the organization properly considered the notice threshold tests. In other words, organizations must be able to prove that any decision not to notify was justified.
The question that occurs to me about s. 4(a) is how the organiztion got the person’s address for email “or any other secure form of communication”. If the person provided it directly, then there could be a strong presumption that the person was consenting to its use.
Otherwise, caution about the use of such an address may be justified. Lots of people have more than one email address, and may not pay much attention to some. The UN Model Law on Electronic Commerce, and many Canadian statutes that implement the Model Law, refer to an address designated by the addressee for receiving communications.
The sender should have some confidence that the message will be received and read. Making the addressee complicit in the arrangement to send the message by this medium is a way of creating that confidence.