Important Changes to Pipeda Requirements: Privacy Breaches, Recording Keeping and Reporting Requirements

By on 2018/10/25

A friendly reminder…

As you are likely already aware, as of November 1, 2018, any organization that is subject to the Personal Information Protection and Electronic Documents Act of Canada (“PIPEDA”) will now have additional obligations in the event that your organization encounters a privacy breach.

What is a Privacy Breach?

Generally speaking, a privacy breach is considered to be a loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards or from a failure to establish those safeguards.

What do we need to do?

  1. In the event of a breach, and where the nature of that breach is such that there is a real risk of significant harm to any affected individual(s), your organization must notify that/those affected individual(s) of the breach in accordance with PIPEDA. A “real risk of significant harm” is fact specific and must take into account the sensitivity of the compromised personal information.  No notification is required if the notification would be prohibited by PIPEDA, for example that it would compromise an investigation etc.
  2. Where your organization has determined that there is a real risk of significant harm to any individual resulting from such a breach, your organization must notify the Privacy Commissioner of Canada as soon as feasible after your organization has determined that a breach has occurred.
  3. Keep a general record/log of all privacy breaches. This means that you must keep a log of all privacy breaches concerning personal information under your organization’s custody or control.  The Office of the Privacy Commissioner may request this record/log from organizations that are required to comply with PIPEDA.

Privacy breach record or log should contain: (i) date of the breach, (ii) a general description of the circumstances of the breach, (iii) the nature of the information that was the subject of the breach; (iv) whether or not you notified affected individuals and/or the Privacy Commissioner; and (v) if the breach was not reported, you will need to keep details concerning why the breach did not constitute a “real risk of significant harm”.

This information is a general comment on the changes that will take effect shortly and is provided for information purpose only.

DISCLAIMER: This article is presented for informational purposes only.  The views expressed are solely the author(s)’ and should not be attributed to any other party, including Taylor McCaffrey LLP.  While care is taken to ensure accuracy, before relying upon the information in this article you should seek and be guided by legal advice based on your specific circumstances.  The information in this article does not constitute legal advice or solicitation and does not create a solicitor-client relationship.  Any unsolicited information sent to the author(s) cannot be considered to be solicitor-client privileged.

If you would like legal advice, kindly contact the author(s) directly or the firm's Managing Partner Norm Snyder at nksnyder@tmlawyers.com, or 204.988.0302.