Starting November 1, 2018, companies governed by the Personal Information Protection and Electronic Documents Act (PIPEDA), will be required to report data breaches to affected customers, third parties and the federal Privacy Commissioner. The Office of the Privacy Commissioner (OPC) has prepared draft guidance in order to help businesses comply with these new mandatory breach reporting requirements.
PIPEDA’s Breach of Security Safeguards Regulations were published for consultation on September 2, 2017, as previously reported on in E-TIPS®, with the final version published in April 2018. In brief, these regulations require that an organization experiencing a data breach posing “a real risk of significant harm” to any individual whose personal information is involved:
- report to the breach to the Privacy Commissioner;
- notify affected individuals about the breach; and
- maintain records of the breach. The OPC understands that organizations will require additional guidance in order to fully comply with these new obligations and has accordingly prepared draft guidance and a draft breach reporting form for public consultation. Final versions of the guidance and reporting form are to be published shortly. For more information, please see the OPC’s website.
Summary By: Jae Morris