In 2015, the federal government amended the Personal Information Protection and Electronic Documents Act (PIPEDA) to require organizations to report certain serious breaches of personal information to the Office of the Privacy Commissioner (OPC) and to affected individuals. The government recently announced that these breach reporting requirements will come into force on November 1, 2018. The final text of the Breach of Security Safeguards Regulations (Regulations), which sets out the required content of both the report to the OPC and the notice to individuals, will be published on April 18, 2018 (see our 2017 analysis of the draft Regulations here).
What You Need to Know
- Organizations will be required to 1. report to the OPC, and 2. notify affected individuals of breaches of security safeguards involving personal information where the breach creates a real risk of significant harm to individuals.
- The final text of the Regulations will likely include additional guidance on the content and format of breach notifications, and may address suggestions from industry, the public and the OPC during the draft Regulations' comment period in 2017.
- Companies can prepare for mandatory breach reporting by:
- updating internal breach response protocols, record retention procedures and personal information handling and complaint policies;
- establishing legal and fact-gathering frameworks for determining whether a privacy breach meets the "real risk of significant harm" reporting threshold;
- designating a privacy breach response team, including internal stakeholders and external advisers and service providers;
- designing templates for reports to the OPC and notices to customers, employees and other individuals;
- drafting templates for retaining records of all breaches, whether they meet the reporting threshold or not; and
- updating employee training materials to ensure stakeholders understand the organization's approach to complying with the new breach reporting requirements.
Although the breach reporting requirements have been part of PIPEDA since 2015 and the implementing Regulations were broadly expected to be finalized this spring, the coming into force date was not expected to be announced until after the final Regulations had been released. The announcement of a November 2018 implementation date suggests that the final Regulations will not be significantly different than the draft published in September 2017. Rather, the relatively short deferral indicates a government view that the private sector will require little time to bring their breach response practices into compliance with the new regulatory requirements.
To discuss these issues, please contact the author(s).
This publication is a general discussion of certain legal and related developments and should not be relied upon as legal advice. If you require legal advice, we would be pleased to discuss the issues in this publication with you, in the context of your particular circumstances.
For permission to republish this or any other publication, contact Janelle Weed.
© 2019 by Torys LLP.
All rights reserved.