As privacy incidents and security breaches involving personal information become more frequent, organizations are increasingly aware of the importance of implementing a robust privacy program to mitigate risks and impacts of such incidents. While this preparation is important, organizations must also consider the consequences of a privacy incident. In this first blog post, we will discuss the legal obligations and procedural considerations for keeping records of privacy incidents.
Private sector privacy laws include various obligations regarding the keeping of records of privacy incidents.
The federal Personal Information Protection and Electronic Documents Act (PIPEDA) requires organizations to maintain a record of all breaches involving personal information. The new Quebec An Act to modernize the laws relating to the protection of personal information (formerly known as Bill 64, and now as Law 25) will similarly require, effective September 22, 2022, all private sector organizations to maintain a privacy incident log. PIPEDA and Bill 25 also indicate that these records must be provided to the Privacy Commissioner of Canada (the OPC) or the Commission for access to information (the CAI), respectively, on request. These logs should include all incidents, whether the notification threshold is reached or not.
Other jurisdictions may also indirectly require companies to maintain similar records, through other legal requirements. For example, Alberta Privacy Act (the AB PIPA) grants the Information and Privacy Commissioner of Alberta the power to require organizations to provide him with any additional information he deems necessary to determine whether individuals should be notified of unauthorized access. authorized to personal information or its disclosure. Therefore, Alberta organizations should, at a minimum, keep a record of their incident reporting analysis, in order to be able to demonstrate the reasoning behind such a decision.
Additionally, organizations should remember the investigative powers given to regulators. PIPEDA, Bill 25, AB PIPA and British Columbia Privacy Act, all grant their respective Privacy Commissioners investigative powers regarding compliance with their respective privacy laws. Such investigations may be conducted to ensure that an organization has responded to a privacy incident appropriately and in accordance with applicable law.
Organizations should also be aware of any industry record-keeping obligations to which they may be subject. For example, organizations operating in the healthcare, telecommunications, or financial services sectors may be required to maintain a privacy incident log under an industry-specific law or regulation.
Organizations should also determine what information will be included in their privacy incident ticket. In this regard, PIPEDA Security Breaches Policy clearly states that these records must contain sufficient information to demonstrate compliance with legal requirements to notify the OPC and affected persons. Law 25 indicates that the contents of the registry may be determined by government regulation, which will likely be similar to the requirements of PIPEDA. Thus, organizations should, at a minimum, maintain records describing the facts of an incident and, more importantly, their analysis of whether or not to notify individuals and regulators under applicable laws.
Organizations should also consider how long these records should be retained. The Security Breaches Policy provides a clear answer to this question: obligated organizations must keep a record of a breach for a period of two years after the day the breach occurred, as determined by the organization. That being said and as mentioned earlier, organizations in regulated industries should consider any other legal obligations requiring them to maintain a record for a longer period, or what those records should include.
Finally, organizations should consider how their records can be accessed, as regulatory authorities may request a copy. Recordings must be stored in such a way that they can be easily retrieved and/or communicated to third parties. Organizations that are required to comply with Law 25 may consider using technologies similar to those that will be used to comply with the new right to data portability granted to individuals.
Organizations may have other reasons for recording their privacy incidents. In our next publication, we will discuss the business benefits of maintaining such records, including in the context of mergers and acquisitions and for analytical purposes.