The amendment has two parts. Many witnesses came before this committee and talked about the threshold for when organizations would be required to report a privacy breach to the Privacy Commissioner and the thresholds for when they would be required to notify individuals. That's the substance of the first amendment.
The proposed amendment would create two thresholds. For a report to the Privacy Commissioner, the breach would need to be a material breach. The criterion for a material breach is essentially that there's an aspect of risk, but I would argue it's designed to be a less objective test. You do look at the sensitivity of the information, but primarily you look at how many individuals were affected. Then the organizations do an internal review, and they ask whether this represents a systemic problem and whether it is evidence that they have a bigger problem here that they should tell the Privacy Commissioner about.
The other threshold is, as proposed in Bill S-4, the notification to individuals. This is unchanged. It would be a breach that is determined to pose a real risk of significant harm. This is a risk-based threshold. We look at the circumstances, the sensitivity and the probability that the information will be misused and the potential harm that it could cause, and those are the breaches we would tell individuals about.
It establishes these two thresholds, so what the Privacy Commissioner would be told about wouldn't necessarily be the same data breaches that individuals would be notified about.
From my own perspective what I found interesting about the testimony that the committee heard is that, on the one hand, business organizations like this because they don't want to have to tell the Privacy Commissioner about the one-off breach, the one that was really serious but only affected four or five people. They wonder why they need to tip off the Privacy Commissioner that this has happened. They'd rather only tell the Privacy Commissioner about the big problems, and deal with these with their clients directly.
Privacy advocates, on the other hand, didn't see these two thresholds as necessarily different. They saw them as nested in some way, so that the material breach was actually a lower threshold and that the Privacy Commissioner would hear about all of those breaches that affect one-offs—two or three people. But then for the ones that go to the individual, it's a higher threshold of that higher risk. They saw it that way.
From a policy perspective and as administrators of the law, the fact that you saw those two different views suggests that the provisions are not necessarily as effective and clear as they could be, if you have different stakeholder groups interpreting them in very different ways.
The committee may be aware that those two thresholds, the material threshold and the real risk threshold, were in previous versions of government bills to amend PIPEDA. But when Bill S-4 was drafted, this issue was examined and it was determined that because of those competing views, it was more simple, more effective for there to be a single threshold. An organization would look at a data breach and they'd say, “Is there a risk of harm in this circumstance? If there is, I have to tell the Privacy Commissioner and I have to inform the individual.”
That way the Privacy Commissioner knows about every single data breach that goes out to individuals. But to create accountability and to make sure that organizations are conducting these risk assessments in good faith, Bill S-4 creates a new requirement that wasn't in previous bills, and that's to maintain the records.
The process is very straightforward. I have a data breach. I determine if there is a risk. If there is, the notification goes out. If the determination is that there isn't a risk, that this may be evidence of a systemic problem or something like that, I have to maintain a record. The policy rationale behind that is that as soon as you require an organization to record this information and maintain it, they're going to pay more attention to it and this is how they're going to determine whether or not they have a systemic problem.
Bill S-4 gives the Privacy Commissioner the power to demand those records at any point. There's no threshold. The commissioner doesn't have to have any suspicion that something's going on. He can ask to see a company's records.
This gets to the second part of the amendment, which deals with that record-keeping requirement.
The committee heard witnesses saying that they were concerned about this requirement. What information were they going to have to maintain in the record? How long were they going to have to keep it for? They were nervous about the burden that it would create. The only thing I would point out to the committee is that all of those specific requirements will be set out in regulation, and there will be an opportunity to consult broadly with it.
The intention of the record-keeping requirement is to maintain only that information that's necessary to meet those two objectives I talked about: making sure the company pays attention to it, and providing a way for the commissioner to hold the company accountable for that risk assessment.
To the extent that the requirement to document a data breach may create a conflict in law that may be contrary to some other law, we're not aware of any federal statute that would prohibit a company from documenting that they have suffered a data breach. As for the specific requirements, if there was concern that there may be a conflict in law if the regulations, say, you have to keep it for five years and there is some other requirement that says you have to destroy these things after two years, all of that would be addressed during the regulatory process and it wouldn't be necessary to have that chapeau in the act saying unless prohibited by law.