On November 1, 2018, as previously reported on in the E-TIPS® newsletter, the Personal Information Protection and Electronic Documents Act (PIPEDA)’s amendments establishing mandatory data breach reporting obligations set out in Division 1.1 of the statute come into effect.
The Office of the Privacy Commissioner of Canada (OPC) has published guidance to help businesses comply with the new requirements as well as a new reporting form to report privacy breaches. The final version of the guidance was developed following a public consultation through which the OPC received submissions from various sectors on a draft version.
Under the new regulations organizations subject to PIPEDA must:
- report to the OPC any breach of security safeguards where it creates a “real risk of significant harm”;
- notify individuals affected by a breach of security safeguards where there is a real risk of significant harm;
- maintain records of all breaches, whether or not there is a real risk of significant harm or not, of security safeguards that affect the personal information under their control; and
- keep those records for two years.
For more information, please see the OPC’s news release announcing the new data breach reporting requirements.
Summary By: Jae Morris