Breach Notification

Mandatory Notification
RCC and its members view the recently developed Key Steps for Organizations in Responding to Privacy Breaches as an important tool in delivering on the promise of customer privacy protection. There is strong support among RCC members to have these guidelines in place to assist retailers of all sizes in fulfilling their privacy responsibilities. RCC continues to market these guidelines to our members as a best practices resource.

In short, these guidelines are extremely useful as they set the parameters for what a breach actually is and outline a clear process for the identification and assessment of any risk at hand.

No two breaches are the same and it is important that retailers have the flexibility to use these guidelines to determine whether or not the Privacy Commissioner and consumers need to be notified, in the event of a breach.

The purpose of notification is to allow affected parties to mitigate the risk of harm. It is critical to the integrity of PIPEDA and the privacy protection of Canadians that notification serves this purpose. Unnecessary notifications of possible breaches, where no harm can be caused, would not serve Canadians well and would be unnecessarily costly for retailers – not to mention a strain on the resources of the Office of the Federal Privacy Commissioner (OPC).

RCC understands that the government is considering tabling legislation to make breach notification mandatory. While RCC would contend that the industry would like to have more time to work with the OPC privacy breach guidelines, if the government does decide to proceed with legislation we would like to see a very clear legislative provision that triggers notification when there is a significant risk of harm to an individual or individuals.

If the government does proceed in this direction, it is RCC's hope that it and other like-minded business associations would be in a position to work with the federal government on the line-by-line drafting of the accompanying regulations.

That being said, RCC would like to reiterate its position that in these early days the breach notification guidelines are working and any move to legislate at this time would be premature.

Commissioner's Oversight
The Office of the Federal Privacy Commissioner lends important assistance to businesses and individuals on an ongoing basis by providing training tools and helpful information to deal with emerging privacy matters.

RCC is concerned with Recommendation 24 of the Report which recommends that the Privacy Commissioner "should make a determination as to whether or not affected individuals and others should be notified" once notified of a privacy breach.

RCC believes that while it is important for the OPC fulfil this important function in some cases, it would neither be practical nor efficient to put the Commissioner's Office in a position to review each and every breach that occurs in Canada.

Step 3 in the OPC's breach notification guidelines lays out a clear framework for when to notify, who to notify, who should notify, what should be included in the notification and other people to contact — including the OPC.

It is clearly stated in Step 3 of the guideline that "notification can be an important mitigation strategy that has the potential to benefit both the organization and the individuals affected by a breach." RCC strongly believes that the notification decision should be made by the organization itself, unless specific direction is requested of the OPC.