Don’t rush when assessing RROSH: Record keeping and breach notification obligations under PIPEDA

In light of a recent Office of the Privacy Commissioner publication, companies should note the importance of sometimes-overlooked breach compliance activities, including documenting a data breach and how implementing an effective breach management system can be an important compliance tool.  

The federal Office of the Privacy Commissioner (OPC) recently published the 2019 Breach Record Inspection report (report)¹ on how organizations are addressing personal information breach record keeping and notification obligations under the Personal Information Protection and Electronic Documents Act (PIPEDA).² The report provides guidance for organizations on assessing and documenting a ‟real risk of significant harm” (RROSH), which triggers notification to the regulators and individuals. 

A key takeaway from the report is the importance for organizations to have a breach management system in place that consistently and appropriately assesses whether there is a RROSH if a breach occurs. Furthermore, a record-keeping system that sufficiently documents such assessment may serve as evidence of compliance with the mandatory breach notification. 

Practices when assessing RROSH

PIPEDA requires not only that an organization report all RROSH breaches but that it records all breaches whether reportable or not.  In cases where no RROSH is found, an organization should also make sure enough detail about the RROSH assessment should be documented for future investigation by the OPC. Some of the practices that the OPC described included:

• Adopt a team approach to the RROSH assessment.  The OPC promotes a team approach to improve an organization’s ability to identify all of the factors that may influence each breach’s RROSH assessment, as well as heighten privacy awareness and promote consistency within the organization in regards to RROSH assessments and addressing breaches.
• Taking a contextualized approach. The OPC notes that various factors might affect the RROSH assessment of different breaches and provides four breach examples in that regard. These examples are consistent with past OPC guidance in recognizing the importance of assessing (i) the sensitivity of the personal information involved in the breach; and (ii) the probability that the personal information has been, is being, or will be, misused. They also illustrate how contextualized this assessment is – a RROSH may arise as a result of an individual’s particular circumstances (e.g., the person’s relationships, financial situation, health circumstances, if the individual’s information has been previously exposed, etc.).
• Best tools for assessing RROSH. The OPC remarks that businesses can use a variety of tools to assess RROSH. Choosing which type of tool to use – be it a risk matrix, a checklist or a list of questions – will depend on the organization’s activities and needs.  

Practices when documenting an assessment of RROSH

Breach records must contain sufficient information for the OPC to verify an organization’s compliance with mandatory breach reporting and notification requirements. The report further describes the following practices in regards to record keeping:

• Sufficient Detail. Breach records must contain sufficient detail to determine whether or not the breach met the RROSH threshold. This could be in the form of an explanation of why the organization determined the breach did or did not meet RROSH. It should further reflect details about the sensitivity of the personal information involved, as well as the probability that the personal information might be misused. The report notes that an organization can demonstrate its compliance with the breach notification obligations of PIPEDA by including adequate details of the RROSH assessment in its breach records.
• Solicitor/Client Privilege. An organization’s records or parts of its records may be subject solicitor-client privilege. Nevertheless, the report states that even if an organization needs to withhold part of a breach record because of solicitor-client privilege, the organization needs to ensure its record still includes the prescribed information, if requested by the OPC. An organization will therefore want to carefully document and implement procedures to ensure it is able to maintain privilege over such records (or parts of records) while complying with this requirement. An effective means of doing so would be to consider this in the design of any framework to assess RROSH.
• Adequate retention period. The OPC suggests considering keeping records for longer than a 24-month period, so the organization’s breach management system becomes better at identifying trends, systemic issues, and blind spots. 

In addition to including the above elements in its breach management system, the report recommends that organizations continually audit and improve these systems (including to ensure an organization’s staff are not under-reporting breaches). An organization may want to therefore review its current breach management system to ensure that it includes the elements outlined in the report, as well as procedures to continually audit and improve the same.

The authors wish to thank law student Roxanne Caron for her help in preparing this legal update.