Skip to main content
Article
Nov. 2, 2019

Don’t let your nephew be responsible for your financial future

We all have that one family friend or relative, usually younger than you, who understands technology and the ever-changing digital landscape; the one who can fix your computer when weird things start happening.

But cyber security is not child’s play.

As of Nov. 1, 2018, commercial operations in Canada (including medical offices) that are subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) now face strict new privacy breach response requirements with respect to any data security safeguard breach. Under the Digital Privacy Act, every organization that collects, uses and discloses personal information in the course of commercial activity in Canada (with a few exceptions) must follow new mandatory data breach record-keeping, reporting and notification rules — or face significant non-compliance consequences.

Here are the answers to some frequently asked questions about the Digital Privacy Act and its new data breach response requirements.

1. What is the Digital Privacy Act and what are its new mandatory data breach response requirements?

The Digital Privacy Act is a federal law that amends PIPEDA to mandate a response to data breaches that includes three key new obligations: record-keeping, reporting and notification.

Existing safeguarding obligation 

Canadian law already obligates organizations to protect personal information with security safeguards appropriate to the sensitivity of the information. These security safeguards are required to protect personal information (regardless of the format it is in) against unauthorized access or use in any manner.

  • Sensitivity. Under PIPEDA, organizations must protect personal information, regardless of the format in which they hold it, by security safeguards “appropriate to the sensitivity of the information” against loss or theft, unauthorized access, disclosure, copying, use, or modification.
  • Reasonable and appropriate. The standard the safeguards must meet varies depending on the sensitivity of the information collected, its amount, distribution and format, and how it’s stored: the safeguards must be reasonable and appropriate.

New data breach response obligations

The Digital Privacy Act implements three new obligations when there’s a “breach of security safeguards”:
  1. Record-keeping. A log must be kept of any instances involving a “breach of security safeguards” involving personal information and must be kept for 24 months
  2. Report to the Privacy Commissioner. If a breach represents real risk of significant harm to an individual, it must prepare and send a report to the Privacy Commissioner that includes the information the Breach of Data Safeguard Regulations details
  3. Notice to affected individuals. If a breach qualifies in situation 2) above, then affected individuals must be notified to advise of breach and take steps
    • Only to be used in specific situations
    1. Direct notificationemail (where agreed to), letter, telephone, in person
    2. Indirect notification — post on website

NOTE: All notification costs are to be born by the affected organization

Practically, this means any of the following “internal” security breach scenarios could amount to a “breach of security safeguards” — and trigger the mandatory data breach response obligations:

  • an employee violates the employer’s “clean desk policy" and another patient sees a patient record
  • a lab report is sent to the wrong email address

2. Does the Digital Privacy Act apply to me and my practice?

Yes. The Digital Privacy Act applies to every organization to which PIPEDA applies. This includes most doctors who collect, use and/or disclose personal information in the course of commercial activity in Canada, with the exceptions of Quebec, Alberta and British Columbia which all have provincial legislation that’s similar to PIPEDA.

3. Why should organizations comply with the Digital Privacy Act’s data breach response requirements?

Because the consequences of failing to do so are significant. They can include:

  • Exposure of organizations — and directors personally — to fines of up to $100,000 per violation. 
  • Civil lawsuits.  An individual or organization that suffers a loss as a result of a data security breach can sue the organization. These lawsuits are increasingly common in Canada, and many businesses discover that “ordinary” insurance doesn’t cover this. The only real way to reduce the risk of liability is to reduce the risk of data breaches in the first place. And the only way to reduce the financial risk is with cyber liability insurance.
  • Reputational damage. In today’s climate of awareness about cyber security and the prevalence of social media, a data breach — particularly one that’s not handled well — can cause you and your organization immeasurable reputational damage.

4. How do affected organizations comply with the Digital Privacy Act’s mandatory data breach notification requirements?

Breaches happen — but advance preparation can significantly reduce the liability and reputational risks if such a breach occurs. There are some key areas on which to focus when preparing for the Digital Privacy Act’s mandatory data breach response requirements, including:

  • Understanding the new obligations
  • Addressing third-party contractor risks
  • Develop a breach log reporting process
  • Deal with employee risks before they happen through training, policies, and procedures
  • Consider Cyber Insurance protection

Talk to your Insurance Advisor about adding cyber protection to your Office/Clinic package from OMA Insurance.

The content of this article is intended to provide a general guide to the legislation. Specialist advice should be sought about your specific circumstances.

Back to top