OPC reveals PIPEDA data breach requirements

The new rules, effective Nov. 1, impose mandatory disclosure when a breach brings a "risk of significant harm."
Privacy Commissioner

Canadian Privacy Commissioner Daniel Therrien addresses the International Association of Privacy Professionals in May.

The Office of the Privacy Commissioner (OPC) has made public the final version of new regulations that impose mandatory data breach disclosure requirements on Canadian businesses under revisions to the federal private sector privacy law.

Effective Nov. 1, Canadian organizations subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) will have to report any breach of security that creates a “real risk of significant harm” to consumers to the commissioner’s office, and they will have to notify individuals affected by the breach. They will also have to keep the records of all security breaches involving personal information for two years.

Under the new rules, organizations will need to report a breach whether it “affects one person or a 1,000,” according to the OPC, and those that fail to do so could face stiff penalties. Businesses are responsible for the data that is under their control, as well as the personal information they share with third parties.

But they will not be obliged to report all breaches, only those thought to create a “real risk of significant harm,” defined as “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property,” notes the OPC on its website.

When determining whether real risk is involved, organizations will need to consider the “sensitivity of the personal information involved in the breach of security safeguards and the probability the personal information has been/is/will be misused.”

The new provisions bring PIPEDA in line with Alberta’s provincial Personal Information Protection Act, which has had similar regulations in place since 2010.

“The number and frequency of significant data breaches over the past few years have proven there’s a clear need for mandatory reporting,” said Daniel Therrien, Canada’s Privacy Commissioner, in a press statement. “Mandatory breach reporting and notification will create an incentive for organizations to take security more seriously and bring enhanced transparency and accountability to how organizations manage personal information.”

He added that the regulations are “imperfect but a step in the right direction.”

The OPC shared draft regulations on Sept. 17, to which 20 organizations submitted feedback before the Oct. 2 deadline. A final version of the rules were revealed on Oct. 29.

A recent survey by the Canadian Internet Registration Authority revealed that 66% of Canadian business leaders with responsibility over IT security decisions were unfamiliar with the European Union’s General Data Protection Regulation, which came into force in May. In comparison, only 38% indicated they are unfamiliar with PIPEDA. However, that number is still significant, given that 60% reported collecting personal data from their customers, suppliers, vendors or partners.

During fiscal year 2017-18, the OPC recorded 116 breach reports under existing PIPEDA legislation of the 297 complaints made, as well as 286 breach reports under the Privacy Act of a total of 1,254 complaints.

Last February, the House of Commons Standing Committee on Access to Information, Privacy and Ethics – which has been tasked with reviewing Canada’s privacy laws – agreed with the recommendations to amend PIPEDA. But according to the OPC, the body has called for the creation of additional measures inspired by GDPR.