Today new data breach regulations come into effect in Canada. With significant digital breaches on the rise worldwide, Canada passed the Digital Privacy Act amending its private sector privacy law, the Personal Information Protection and Electronic Documents Act (the “Act”) in 2015 implementing breach of security safeguard requirements on private sector organizations and creating offences for certain contraventions of the Act.
The Office of the Privacy Commissioner has provided guidelines to the new obligations and a report form for notification of breaches. Among the changes and obligations, private sector organizations must
- determine if the breach poses a “real risk of significant harm” to any individual whose information was involved and under the control of the organization by conducting a risk assessment that considers the information’s sensitivity, and whether the information will likely be misused;
- notify affected individuals and report to the Office of the Privacy Commissioner of Canada (“OPC”) as soon as feasible;
- notify any other organization that may be able to mitigate harm to affected individuals; and
- maintain records of any data breaches for two years and provide it to OPC upon request.
These new changes do not necessarily apply to provinces that have substantially similar privacy legislation, which means the changes may not affect private sector organizations subject to Quebec, British Columbia, and Alberta law. However, any international transactions and federally regulated organizations are still subject to the Act.
That said, not all breaches must be reported to the OPC. Moreover, the new obligations are similar to the regulations imposed by other governments around the world. Given the changes in European privacy law that came into effect this summer, it may be that your organization’s practices are generally aligned with the new Canadian regulations, but it is incumbent upon you to check whether
- your organization’s data breach response plan is adequate;
- your organization can identify if any breaches meet the real risk of significant harm test; and
- your organization has other adequate systems in place to deal with breaches and decide who or which roles are best placed to make decisions regarding breaches and notifications.
To avoid headache in the future and fines of up to $100,000 under the new regulations, we encourage all organizations to seek professional advice and assess their cybersecurity practices and systems.
If you have any additional questions about whether the data breach regulations apply to your organization or would like to discuss how your organization should comply with the Act, feel free to contact us.
The content on this website is provided for informational purposes only and does not constitute legal advice or opinion of any kind. Should you require legal advice or have any questions regarding the content, please call 613-744-8025 or send us an email at firstname.lastname@example.org.