On November 1, 2018, as previously reported on in the E-TIPS® newsletter, the Personal Information Protection and Electronic Documents Act (PIPEDA)’s amendments establishing mandatory data breach reporting obligations set out in Division 1.1 of the statute come into effect.

The Office of the Privacy Commissioner of Canada (OPC) has published guidance to help businesses comply with the new requirements as well as a new reporting form to report privacy breaches. The final version of the guidance was developed following a public consultation through which the OPC received submissions from various sectors on a draft version.

Under the new regulations organizations subject to PIPEDA must:

  • report to the OPC any breach of security safeguards where it creates a “real risk of significant harm”;
  • notify individuals affected by a breach of security safeguards where there is a real risk of significant harm;
  • maintain records of all breaches, whether or not there is a real risk of significant harm or not, of security safeguards that affect the personal information under their control; and
  • keep those records for two years.

For more information, please see the OPC’s news release announcing the new data breach reporting requirements.

Summary By: Jae Morris


18 10 31

Disclaimer: This Newsletter is intended to provide readers with general information on legal developments in the areas of e-commerce, information technology and intellectual property. It is not intended to be a complete statement of the law, nor is it intended to provide legal advice. No person should act or rely upon the information contained in this newsletter without seeking legal advice.

E-TIPS is a registered trade-mark of Deeth Williams Wall LLP.