Starting November 1 2018, companies governed by the Personal Information Protection and Electronic Documents Act (PIPEDA), will be required to report data breaches to affected customers, third parties and the federal Privacy Commissioner. These companies in all provinces except Alberta, British Columbia and Québec, as well as federally-regulated businesses such as banks and telecommunications companies, will be covered by the upcoming data breach notification obligations.
The Digital Privacy Act, the Act amending PIPEDA, imposes notification obligations on organizations if it is reasonable in the circumstances to believe that the breach creates “a real risk of significant harm” to the individual. Should this harm threshold be exceeded, then organizations are required to notify:
- the Privacy Commissioner;
- the affected individual(s); and
- any organization that can mitigate the harm, or risk of harm, caused by the breach.
The associated Breach of Security Safeguard Regulations, also to come into force on November 1, 2018, will elaborate on an organization’s data breach reporting obligations. Specifically, they will specify the content, form and manner of notification and provide additional details with respect to an organization’s record keeping requirements.
Summary By: Jae S. Morris