PIPEDA is administered by the federal Privacy Commissioner, who has the authority to make public…
New Mandatory Data Breach Notification Requirements under PIPEDA
In order to harmonize the Canadian requirements to the General Data Protection Regulation (GDPR) in the European Union, the Government of Canada issued final provisions on the mandatory reporting and recording of privacy breaches according to Canada’s PIPEDA. The new regulations, also known as the Digital Privacy Act, came into force on November 1st, 2018 via the Breach of Security Safeguards Regulations.
The new provisions apply to businesses subject to PIPEDA. These include a mandatory requirement to notify individuals and the Office of the Privacy Commissioner of Canada (OPC – ‘’The Commissioner’’) of privacy breaches in certain circumstances, and to keep certain records of privacy breaches.
We’ve compiled this article to help organizations subject to PIPEDA understand:
- What is required under the new PIPEDA legislation
- What needs to be included in data breach notifications to individuals and to the Commissioner
- The consequences of non-compliance with PIPEDA
Related Post: Data Breach Notification Laws: Canada, U.S. & Europe
The Personal Information Protection and Electronic Documents Act (PIPEDA) came into force on January 1st, 2004. PIPEDA applies not only to the storage of personal data but also to the collection, use or disclosure of personal information throughout the course of commercial activities.
PIPEDA applies to every private organization that collects, uses and discloses personal information during commercial activity in Canada, with the exception of the Provinces of Quebec, British Columbia and Alberta, all of which have provincial legislation similar to PIPEDA.
►Note: PIPEDA also applies to “foreign” organizations that do business in Canada, even if they aren’t physically based in Canada.
For more information about PIPEDA and to find out whether it applies to your organization, please refer to our article Personal Information & Data Privacy in Canada: PIPEDA 101.
Changes under the Digital Privacy Act
Under the Digital Privacy Act, Canadian and non-Canadian organizations that are already subject to PIPEDA will need to take necessary steps to make sure that they address how they will comply with the newly-enforced rules and regulations.
This amendment to Canadian federal law primarily relates to three areas:
- Data breach recordkeeping
- Data breach reporting
- Data breach notification
1. Risk Assessment
Organizations subject to PIPEDA now need to determine what poses a real risk or significant harm by conducting a risk assessment. This assessment would take into consideration the sensitivity of the information involved in the breach and the probability of its information being misused.
2. Data Breach Notification
Organizations subject to PIPEDA are required to notify the affected individuals and the Commissioner as soon as feasible if the assessment determines a real risk or a significant harm.
Organizations must also give significant notice for the individual to understand the significance of the breach for them and to take steps, if possible, to reduce the risk of harm.
In addition to notifying the affected individual(s), any other organization that may allow to diminish harm to the affected individuals must also be notified.
The regulation requires of you to notify when it’s reasonable to believe that the breach creates a real risk of significant harm to the individual. Notification must be direct, i.e. in person, by telephone, mail, email or any other form of communication that a reasonable person would consider appropriate in the circumstances.
Notifying Individuals of a Data Breach
When notifying individuals of a data breach, organizations subject to PIPEDA must include the following elements about the data breach:
- The circumstances of the breach;
- The date or period of the breach (if not possible, the approximate period of the breach);
- The personal information subject to breach (to the extent knowledge of the organization);
- The actions the organization has taken to mitigate harm or moderate risk to the individuals and actions that the individual could take personally;
- The contact information of the person who the individual can contact for further details about the breach.
Notifying the Commissioner of a Data Breach
When reporting the data breach to the Commissioner, organizations subject to PIPEDA must report everything reported to the individuals (see above), plus the following elements:
- If possible, the cause of the breach;
- The number of individuals affected by the breach (if not possible, the approximate number);
- The actions the organization has taken regarding the notification of the breach to the individuals affected.
Organizations are required to keep record of every breach of security safeguards for at least 24 months. The archive must contain all the information the Commissioner needs in order to verify compliance to the data breach notification and reporting provisions.
More generally, PIPEDA requires organizations to include in their record keeping all security and personal data breaches despite they lead to a notification or not.
Consequences of Non-Compliance
Failure to comply with these new mandatory regulations results in significant consequences, including fines, civil lawsuits, investigations and reputational damage.
The penalties for noncompliance with the new regulation can go up to $100,000.
On the one hand, deliberately failing to report a data breach, or deliberately failing to notify an individual as required, will be separate offences subject the fines. On the other hand, deliberately failing to keep or destroying data breach records will also be an offence subject the fines.
For more information about PIPEDA, please refer to our article Personal Information & Data Privacy in Canada: PIPEDA 101 or reach out to us directly. We would be happy to guide you in your roadmap towards compliance.