(November 14, 2018, 9:26 AM EST) — New rules under the federal privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), requiring reporting of breaches to the Office of the Privacy Commissioner and notification of affected persons, came into force on Nov. 1. The rules mandate reporting of any “breach of security safeguards” that meets the threshold of a “real risk of significant harm.”
PIPEDA’s Breach of Security Safeguards Regulations set out the information that must be included in reports and notifications.
The threshold requirement for reporting (and notification) is that it is reasonable to conclude that there is a “real risk of significant harm to an individual.” To assist, PIPEDA provides a non-exhaustive definition of “significant harm” and identifies factors relevant to making such determination. To further assist organizations in making this determination, at the end of October the OPC issued a guidance document — What you need to know about mandatory reporting of breaches of security safeguards. There, the OPC indicates that a two-tier assessment is required: firstly, the sensitivity of the information
David Young Law
Suite 3500, 2 Bloor Street East, Hudson’s Bay Centre,
Toronto ON M4W 1A8