The Data Breach Reporting Requirements were passed in June, 2015 but are not yet in force.
With the implementation of Division 1.1 of PIPEDA, organizations that experience a data breach will have certain obligations including:
- the organization must determine if the breach poses a “real risk of significant harm” to any individual whose information was involved in the breach by conducting a risk assessment;
- if the organization considers that a breach is posing a real risk of significant harm, it must notify affected individuals and report to the Privacy Commissioner of Canada (Commissioner) as soon as feasible;
- the organization must notify any other organization that may be able to mitigate the harm to affected individuals; and
- the organization must maintain a record of any data breach that it becomes aware of and provide it to the Commissioner upon request.
The Regulations will require organizations to maintain sufficient information in a data breach record to demonstrate that they are tracking data security incidents that result in a breach of personal information, and require that organizations hold data breach records for a minimum period of time, specifically 24 months.
Review the regulations on the Government of Canada's website and an article on Lexology's website.