On September 2nd 2017, an amendment was proposed to the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada.
The proposed regulations require an organisation to report a breach to the Privacy Commissioner of Canada if in light of the circumstances, it is reasonable to believe that the breach results in a 'real risk of significant harm' to a data subject. They also set out the details as to:
- The contents of the report to the Commissioner;
- The contents of a notice to a data subject affected by the breach;
- How notice must be given;
- Record keeping requirements.
The contents of the report to the Commissioner are similar to existing requirements for voluntary reporting.
Notice to a data subject is required where there is a real risk of significant harm to that individual. Notices to the individual, mirror those requirements. There is a proposal to include steps the data subject can take to minimise the risk of harm. Notice may be given by post, telephone or in person. Notice by email is permitted only if the individual has consented to receiving information from the organisation in that way.
Records of breaches must be maintained for 2 years after the date that it was determined that a breach had occurred.
Notices to the individual, mirror those requirements.
Download: Data Protection Update: UK, Canada and Russia
Originally published 15 September 2017
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.