On June 18, 2015, the Digital Privacy Act (Bill S-4) amended Canada’s private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), to incorporate mandatory data breach reporting requirements. The data breach notification provisions in the amendment to PIPEDA are set out in Division 1.1 of PIPEDA, but are not yet in force.
On September 2, 2017, the proposed regulations to implement the data breach reporting requirements were published for consultation.
The proposed regulations align closely with what is required for mandatory data breach reporting in Alberta and in the European Union.
With the proposed regulations, organizations that experience a data breach must:
- determine if the breach poses a “real risk of significant harm” to any individual whose information was involved in the breach;
- when a breach poses a real risk of significant harm, notify the affected individual(s) and report to the Privacy Commissioner of Canada as soon as feasible;
- notify any other organization that may be able to mitigate harm to affected individuals; and
- maintain a record of any data breach and provide it to the Commissioner upon request.
For more information, see: http://canadagazette.gc.ca/rp-pr/p1/2017/2017-09-02/html/reg1-eng.php
Summary By: Jae Morris