As of 1 November 2018, organisations subject to the Canadian Personal Information Protection and Electronic Act (PIPEDA) (previously amended in March), will be required to comply with the new privacy breach reporting rules. Any breach of the reporting rules obligations may result in the business being charged with an offence, which could result in a fine of up to CAD 100,000.
Such reporting rules require all organisations, regardless of their size, to notify the Privacy Commissioner, as well as affected individuals, of any privacy breach that poses a genuine risk of "significant harm". Significant harm is defined as humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effect on credit record, or damage to or loss of property. Organisations are also required to maintain a record of all breaches for two years, whether or not there is a real risk of significant harm.
According to the PIPEDA, the report to the Commissioner will have to include a description of the breach, when it occurred, the personal information that is involved, the estimated number of individuals affected and the steps that the organisation will take in response. Private sector organisations should use the PIPEDA breach report form.
We would be happy to advise on any questions concerning Canada's mandatory breach reporting rules as well as other compliance requirements stemming from PIPEDA.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.