Proposed Breach of Security Safeguards Regulations under PIPEDA

Published on

September 25, 2017

Draft Breach of Security Safeguards Regulation (“Draft Regulations”) under PIPEDA were published in the Canada Gazette, Part I on September 2, 2017 and are open for public consultation for a period of 30 days thereafter. The Draft Regulations are being proposed pursuant to Division 1.1 of PIPEDA, which, when it comes into force, will require any data breaches that pose a “real risk of significant harm” to be reported by organizations to the OPC, and will further require organizations to notify the individuals who are affected by such data breaches. As, in some situations, charities and not-for-profits could be subject to PIPEDA, they should be aware of these new requirements.

The Draft Regulations set out the minimum content for the mandatory reports to the OPC as well as for the notifications to affected individuals. The latter includes a requirement that the notice contain information about the organization’s internal complaints process and advice about the individual’s right to make a complaint to the OPC. The Draft Regulations set out the means by which direct notification may be given to affected individuals (by mail, in person, by telephone or by email if the person has already consented to receiving information from the organization in that manner) and permits indirect notification in limited circumstances by way of advertising or conspicuous posting on the organization’s website. The Draft Regulations also require organizations to retain records of every data breach for a period of 24 months, regardless of their materiality.

The mandatory notification requirements set out in Division 1.1 and in these regulations are largely in keeping with existing mandatory breach reporting in other jurisdictions in Canada as well as in the European Union and will be familiar to health information custodians subject to Ontario’s Personal Health Information Protection Act.

All organizations subject to PIPEDA will be impacted by the new mandatory reporting regime. PIPEDA applies to every organization, including charities and not-for-profits, in respect of the personal information that it collects, uses or discloses in the course of commercial activities. Whether an organization can be said to collect, use or disclose personal information in the course of a commercial activity will vary depending on the facts of each case and charities and not-for-profits should not assume that they are exempt from PIPEDA.

The Draft Regulations are expected to come into effect at the same time as the statutory requirements pertaining to data breach reporting under Division 1.1.

The release of the Draft Regulation is timely in light of the recent Equifax privacy breach, discussed in Equifax Breach Demonstrates What Not to Do, below, and in light of the Wal-Mart Canada Corp. privacy breach reported in our June 2017 Charity & NFP Law Update.