On November 1, 2018, important changes to the Personal Information Protection and Electronic Documents Act (PIPEDA) will come into force affecting most Canadian businesses that handle personal information.
In June 2015, the Canadian government passed the Digital Privacy Act (DPA). The DPA had the effect of modifying PIPEDA in several key ways. While most of the amendments came into effect when the DPA was passed, provisions relating to mandatory breach notification and record-keeping did not. Subsequently, on September 2, 2017, the Canadian government published the proposed Breach of Security Safeguards Regulations (Breach Regulations) to bring those remaining provisions into effect. The Breach Regulations will impose significant new obligations on organizations that are the subject of a data breach.
Pursuant to the new PIPEDA provisions, an organization that experiences a “breach of security safeguards”, which is defined as a loss or unauthorized access or disclosure of personal information resulting from a breach of the organization’s security safeguards, will be required to report the incident to the Office of the Privacy Commissioner of Canada (OPC) and notify individuals affected by the breach where it is reasonable to believe that the breach creates a “real risk of significant harm to the individual”. The term “significant harm” includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record, and damage to or loss of property. The Breach Regulations set out the technical requirements for reporting breaches to the OPC and the prescribed form for notifying affected individuals. These include a description of the steps taken by the organization to reduce or mitigate harm. Both the report to the OPC and the notification to affected individuals must be given “as soon as feasible” after the organization determines that the breach has occurred.
In addition, the new Breach Regulations will impose significant record-keeping requirements on organizations. Organizations will be required to maintain a record of every breach of security safeguards for a minimum of 24 months after the organization has determined that a breach has occurred. The records must contain any information relating to the breach that would enable the OPC to verify the organization’s compliance with PIPEDA.
The new rules will have sweeping compliance, legal risk and related impacts for businesses that process information about Canadians. Businesses subject to PIPEDA must take steps now, prior to November 1, 2018, to ensure that they have assessed and addressed how they will comply with the new rules. This includes ensuring that written policies and practices are in place to track and report data breaches, to determine whether there is a “real risk of significant harm to the individual”, and to mitigate any such risks. Efforts to do so may also help reduce the risk of any potential fines levied against an organization for failure to comply with PIPEDA.