On October 29, 2018, the Office of the Privacy Commissioner of Canada (OPC) published the final guidance intended to assist organizations in complying with the mandatory breach reporting and record-keeping requirements under the Personal Information Protection and Electronic Documents Act (PIPEDA), which come into effect on November 1, 2018.
As of November 1, organizations subject to PIPEDA will be required to notify the OPC and affected individuals of "a breach of security safeguards" involving personal information under the organization's control where it is reasonable in the circumstances to believe that the breach creates a "real risk of significant harm" to affected individuals. Other organizations and government institutions must also be notified if they may be able to mitigate or reduce the risk of harm to affected individuals. Organizations must also keep and maintain records of all breaches of security safeguards regardless of whether they meet the harm threshold for reporting.
Failure to report a breach or maintain records as required is an offence under PIPEDA, punishable by a fine of up to C$100,000.
The OPC's guidance provides direction to organizations on how to assess whether a particular breach creates a "real risk of significant harm", outlines the OPC's minimum expectations for breach records, and provides a breach report form that organizations may use to report a breach to the OPC.
The final guidance also clarifies that the organization in "control" of personal information is responsible for complying with PIPEDA's reporting and record-keeping requirements and that an organization acting only as a service provider to the controlling organization is not subject to these requirements. This is an improvement over the draft guidance, which suggested that both organizations would be required to file a report with the OPC, which is inconsistent with the wording of the statute and existing business practices.
For more information about PIPEDA's breach reporting and record-keeping requirements, please see our previous Blakes Bulletins:
- Privacy Commissioner Publishes Draft Guidelines for Mandatory Breach Reporting under PIPEDA
- Federal Data Breach Reporting Regulations Published – Take Effect November 2018
- Cybersecurity Data Breaches and Mandatory Privacy Breach Reporting: Lessons from Alberta
- One Step Closer to Mandatory Breach Reporting Across Canada: Consultations Open
- Digital Privacy Act Receives Royal Assent, but Breach Notification Provisions Lag Behind.
For permission to reprint articles, please contact the Blakes Marketing Department.
© 2018 Blake, Cassels & Graydon LLP.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
We operate a free-to-view policy, asking only that you register in order to read all of our content. Please login or register to view the rest of this article.