Data Breach Reporting Requirements

  • Canada Image

Sep 02, 2017

On September 2, 2017, the Government of Canada published proposed new regulations (“Regulations”) in the Canada Gazette, which provides an update and sets out details regarding the mandatory data breach reporting requirements (“Data Breach Reporting Requirements”) under the Personal Information Protection and Electronic Documents Act (“PIPEDA”).

The Data Breach Reporting Requirements were passed in June, 2015 but are not yet in force.

With the implementation of Division 1.1 of PIPEDA, organizations that experience a data breach will have certain obligations including:

  • the organization must determine if the breach poses a “real risk of significant harm” to any individual whose information was involved in the breach by conducting a risk assessment;
  • if the organization considers that a breach is posing a real risk of significant harm, it must notify affected individuals and report to the Privacy Commissioner of Canada (Commissioner) as soon as feasible;
  • the organization must notify any other organization that may be able to mitigate the harm to affected individuals; and
  • the organization must maintain a record of any data breach that it becomes aware of and provide it to the Commissioner upon request.

The Regulations will require organizations to maintain sufficient information in a data breach record to demonstrate that they are tracking data security incidents that result in a breach of personal information, and require that organizations hold data breach records for a minimum period of time, specifically 24 months.

Review the regulations on the Government of Canada's website and an article on Lexology's website.

Correction list for hyphenation

These words serve as exceptions. Once entered, they are only hyphenated at the specified hyphenation points. Each word should be on a separate line.