Publication of the federal government’s proposed Breach of Security Safeguards Regulations on September 2, for a 30 day consultation period, provides important guidance to organizations and their internal compliance personnel. The proposed regulations, while potentially subject to adjustment following the consultation, provide a significant road-map as to the full scope of the new incident breach reporting provisions under the Personal Information Protection and Electronic Documents Act (PIPEDA). These provisions will create new liability risks and compliance costs for organizations.
The final regulations, together with the new PIPEDA rules, will come into force in the spring of 2018.
The new PIPEDA breach reporting rules were enacted under the Digital Privacy Act, passed by Parliament in 2015 but not yet in force. They will require organizations to report to the Office of the Privacy Commissioner of Canada (“OPC”) any breach of security safeguards involving personal information that poses a “real risk of significant harm” to individuals, and notification of the breach to those individuals. They also require notification of other organizations and government entities where such notification could reduce or mitigate the risk of harm. Finally, the new rules require organizations to maintain records of all breaches, irrespective of whether or not they are reported.
Read the Full PDF:
David Young Law
Suite 3500, 2 Bloor Street East, Hudson’s Bay Centre,
Toronto ON M4W 1A8