PIPEDA’s Mandatory breach reporting rules to come into force November 1, 2018

PIPEDA’s Mandatory breach reporting rules to come into force November 1, 2018

By Order in Council dated March 26, 2018, the federal government has set the in-force date for new privacy breach reporting rules, adopted under amendments to the Personal Information Protection and Electronic Documents Act (“PIPEDA”) ─ at November 1, 2018.  The final text of the Breach of Security Safeguards Regulations will be published in the Canada Gazette on April 18.

The new rules mandate reporting to the Office of the Privacy Commissioner, as well as notification of affected persons, of any security breach posing a “real risk of significant harm” to individuals.  These responses must be made as soon as feasible after discovery of a breach.  The regulations will set out the items of information that must be included in the reports and notifications.  In addition, the new rules will require organizations to keep records of all breaches whether or not they meet this threshold.

Proposed regulations were published on September 2, 2017 for stakeholder comment.  In my September 2017 Compliance Bulletin I reviewed the proposed regulations, suggesting that they provided a “heads up” for organizations seeking to prepare for the new breach reporting regime.  It is likely that the final regulations will follow closely the requirements set out in the proposed regulations.

Publication of the final regulations means that organizations will have just over six months to ensure their internal protocols align with these requirements.

Guidance from ISED and the OPC

In its Regulatory Impact Analysis Statement which accompanied the proposed regulations, Innovation, Science and Economic Development Canada (“ISED”) indicates that materials will be developed addressing additional factors to be considered when assessing the risks associated with a breach and that it will work with the OPC to develop guidance for organizations in regards to the record-keeping requirements.

By Order in Council dated March 26, 2018, the federal government has set the in-force date for new privacy breach reporting rules, adopted under amendments to the Personal Information Protection and Electronic Documents Act (“PIPEDA”) ─ at November 1, 2018.  The final text of the Breach of Security Safeguards Regulations will be published in the Canada Gazette on April 18.

The new rules mandate reporting to the Office of the Privacy Commissioner, as well as notification of affected persons, of any security breach posing a “real risk of significant harm” to individuals.  These responses must be made as soon as feasible after discovery of a breach.  The regulations will set out the items of information that must be included in the reports and notifications.  In addition, the new rules will require organizations to keep records of all breaches whether or not they meet this threshold.

Proposed regulations were published on September 2, 2017 for stakeholder comment.  In my September 2017 Compliance Bulletin I reviewed the proposed regulations, suggesting that they provided a “heads up” for organizations seeking to prepare for the new breach reporting regime.  It is likely that the final regulations will follow closely the requirements set out in the proposed regulations.

Publication of the final regulations means that organizations will have just over six months to ensure their internal protocols align with these requirements.

Guidance from ISED and the OPC

In its Regulatory Impact Analysis Statement which accompanied the proposed regulations, Innovation, Science and Economic Development Canada (“ISED”) indicates that materials will be developed addressing additional factors to be considered when assessing the risks associated with a breach and that it will work with the OPC to develop guidance for organizations in regards to the record-keeping requirements.

 

© David Young Law 2018
Read the Full PDF: PIPEDA’s Mandatory breach reporting rules to come into force November 1, 2018


David Young Law

Suite 3500, 2 Bloor Street East, Hudson’s Bay Centre,
Toronto ON M4W 1A8
Tel. 416-968-6286
Mob. 416-318-5521

Email: David@DavidYoungLaw.ca