Human Resources Legislative Update
Proposed Data Breach Regulations Under PIPEDA Published
Date: September 6, 2017
On September 2, 2017, the federal government published the proposed regulatory text of the Breach of Security Safeguards Regulations (Regulations) made under the Personal Information Protection and Electronic Documents Act (PIPEDA). Interested persons have been invited to make representations on the Regulations.
As previously reported, amendments to the PIPEDA enacted by the Digital Privacy Act will, upon proclamation, require private sector organizations to provide notice of a “breach of security safeguards” involving personal information if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm.
The PIPEDA amendments, which create a new Division 1.1 (Breaches of Security Safeguards) are not yet in force pending finalization of the supporting regulations, which have now been proposed.
The Regulations set out the requirements for:
- the content, form and manner of the report required to be given to the Office of the Privacy Commissioner of Canada (OPC) by an organization in the event of a breach of security safeguards involving personal information under its control where it is reasonable to believe that the breach creates a real risk of significant harm
- the content of the notification required to be given by organizations to individuals affected by a breach of security safeguards (this is in addition to the notification requirements set out in ss. 10.1(4) of the PIPEDA, which state that the notification must contain “sufficient information to allow the individual to understand the significance to them of the breach and to take steps, if any are possible, to reduce the risk of harm that could result from it or to mitigate that harm”)
- the manner of direct notification required to be given by organizations to affected individuals, or, where applicable in specified circumstances, the manner of indirect notification
- record-keeping, including the length of time a record of every breach of security safeguards involving personal information (note that this would include those that do not pose a real risk of significant harm) must be maintained, requirements for compliance, and a provision that a data breach report to the OPC may be used by the organization as a data breach record.
The government has invited representations on the proposed text of the Regulations, which must be received within 30 days of its publication (September 2, 2017).
Representations must cite the Canada Gazette, Part I, September 2, 2017 and be addressed to:
Senior Policy Analyst, Digital Policy Branch
Spectrum, Information Technologies and Telecommunications (SITT) Sector, Innovation, Science and Economic Development Canada
CD Howe Building
235 Queen Street, Room 162D
Ottawa, Ontario K1A 0H5