Coming Soon – Mandatory Privacy Breach Reporting and Record-Keeping
Be aware that, effective November 1, 2018, the provisions of Canada’s Digital Privacy Act dealing with privacy breach notification and breach record keeping will come into force.
Under these provisions, organizations will be required to:
- report to the Office of the Privacy Commissioner of Canada (OPC), and
- notify affected individuals and relevant third parties (in certain circumstances)
about “breaches of security safeguards” that pose a “real risk of significant harm” to affected individuals.
- An organization will also be required to notify any other organization or government institution if it believes the other body may be able to reduce the risk of or mitigate the harm. For example, a retailer could notify a credit card issuing bank or law enforcement agency. The consent of individuals would not be required for such disclosures.
- Notification to affected individuals and reporting to the OPC will be required as soon as feasible after an organization determines that the breach has occurred.
- Organizations will also be required to keep a record of all breaches involving personal information and provide a copy to the OPC upon request.
- Organizations that knowingly fail to report to the OPC or notify affected individuals of a breach that poses a real risk of significant harm, or knowingly fail to maintain a record of all breaches could face fines of up to $100,000.
- “Breach of security safeguards” is defined in PIPEDA and generally includes what is commonly known as a data breach.
- “Significant harm” includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss and identity theft among others. Factors that organizations will need to consider when assessing the presence of a real risk of significant harm include the sensitivity of the information involved and probability that the information was or will be misused (or any other prescribed factor).
Invitation for Discussion:
If you would like to discuss any aspect of Canadian privacy legislation in greater detail, or any other business law matter, please do not hesitate to contact one of the lawyers in the Business Law group at Nerland Lindsey LLP.
Note that the foregoing is for general discussion purposes only and should not be construed as legal advice to any one person or company. If the issues discussed herein affect you or your company, you are encouraged to seek proper legal advice.