This site uses cookies to provide you with a more responsive and personalised service. By using this site you agree to our use of cookies. Please read our cookie notice (http://www2.deloitte.com/ca/en/legal/cookies.html) for more information on the cookies we use and how to delete or block them.
The full functionality of our site is not supported on your browser version, or you may have 'compatibility mode' selected. Please turn off compatibility mode, upgrade your browser to at least Internet Explorer 9, or try using another browser such as Google Chrome or Mozilla Firefox.

Government of Canada: Proposed New Regulations in respect of Mandatory Reporting of Data Breaches under PIPEDA [Completed]

Date issued:

March 26, 2018

Ef­fec­tive date:

The data breach reporting regime under PIPEDA come into force on November 1, 2018.

Last up­dated:

March 2018

Overview

On September 2, 2017, the Government of Canada published proposed new regulations (“Regulations”) in the Canada Gazette, which provide an update and set out details regarding the mandatory data breach reporting requirements (“Data Breach Reporting Requirements”) under the Personal Information Protection and Electronic Documents Act (“PIPEDA”).

On June 18, 2015, the Digital Privacy Act (also known as Bill S-4) amended PIPEDA in a number of areas. One of the key changes was the establishment of mandatory data breach reporting requirements. The Data Breach Reporting Requirements were passed in June, 2015 but are not yet in force.

With the implementation of Division 1.1 of PIPEDA, organizations that experience a data breach will have certain obligations, including:

  1. the organization must determine if the breach poses a “real risk of significant harm” to any individual whose information was involved in the breach by conducting a risk assessment;
  2. if the organization considers that a breach is posing a real risk of significant harm, it must notify affected individuals and report to the Privacy Commissioner of Canada (the “Commissioner”) as soon as feasible;
  3. the organization must notify any other organization that may be able to mitigate the harm to affected individuals; and
  4. the organization must maintain a record of any data breach that it becomes aware of and provide it to the Commissioner upon request.

The proposed Regulations list the categories of information that must be contained in a notification to affected individuals. This approach is intended to provide some certainty to organizations as to what is required, at minimum, to comply with the statutory requirements for notification. At the same time, it provides flexibility on the format, design and means of notification. This allows organizations to conduct notifications in line with established practices and expectations of their stakeholders. The proposed Regulations also identify certain commonly used forms of communication as appropriate means of direct notification to individuals.

Further, the proposed Regulations list the categories of information that must be contained in a report to the Commissioner and affirm that the purpose of data breach record-keeping is to facilitate oversight by the Commissioner and to ensure compliance with requirements, which may encourage better data security practices by organizations.

To this end, the Regulations will require organizations to maintain sufficient information in a data breach record to demonstrate that they are tracking data security incidents that result in a breach of personal information, and require that organizations hold data breach records for a minimum period of time, specifically 24 months. This allows the Commissioner to request and review the history of breaches experienced by a particular organization within a two-year window.

For further details, refer to the proposed regulations on the Government of Canada's website and an article by AUM Law on Lexology's website

 

Re­cent developments

March 2018

On March 26, 2018, the Government of Canada announced that, on November 1, 2018, important changes to the Personal Information Protection and Electronic Documents Act (PIPEDA) will come into force.

September 2017

On September 2, 2017, the Government of Canada published the proposed new regulations (“Regulations”) in the Canada Gazette.

June 2015

On June 18, 2015, the Digital Privacy Act (also known as Bill S-4) amended PIPEDA in a number of areas. One of the key changes was the establishment of mandatory data breach reporting requirements. The Data Breach Reporting Requirements were passed in June 2015, but are not yet in force.

 

Correction list for hyphenation

These words serve as exceptions. Once entered, they are only hyphenated at the specified hyphenation points. Each word should be on a separate line.