Privacy Commissioner’s Guidance for Compliance with PIPEDA’s Breach of Security Safeguards Obligations

Data breach concept illustration. Idea of hacking and spying.

On October 29, 2018 the Office of the Privacy Commissioner of Canada (“OPC”) issued a guidance document titled “What you need to know about mandatory reporting of breaches of security safeguards” (the “Guidance”) to help organizations comply with personal information security breach obligations under Canada’s federal Personal Information Protection and Electronic Documents Act (“PIPEDA”).

Commencing November 1, 2018, PIPEDA’s personal information security breach provisions will come into force. PIPEDA regulates the collection, use and disclosure of personal information in the course of commercial activities by private sector organizations in all provinces except British Columbia, Alberta and Québec (each of which has a substantially similar personal information protection law) and by all organizations that operate a “federal work, undertaking or business” (e.g. banks, telecommunications and transportation companies) or that transfer personal information across a provincial border for consideration.

The Breach of Security Safeguards Regulations (the “Regulations”), which were published on April 18, 2018 clarified certain key concepts of PIPEDA’s security breach provisions (see our previous bulletin on the topic).

The Guidance contains useful clarifications regarding the respective responsibilities of organizations “in control” of personal information and of organizations which merely process same. It also provides details regarding the assessment of a “real risk of significant harm” to individuals and the obligations to report breaches to the Commissioner, to notify individuals and to keep records of all breaches.

Read our bulletin on this topic.

This content has been updated on October 31, 2018 at 15 h 33 min.