The Office of the Privacy Commissioner of Canada released new breach reporting requirements for businesses last week. The Personal Information Protection and Electronic Documents Act (PIPEDA) will impact private-sector organizations that operate or do business with Canadian customers. The newly enacted federal privacy law establishes ground rules for how businesses must handle personal information in the course of commercial activity, mandating that organizations must obtain an individual’s consent when they collect, use or disclose the individual’s personal information.
Perhaps most notably, PIPEDA is similar to the European Union’s General Data Protection Regulation (GDPR) since it requires Canadian companies to alert customers any time their personal information may have been compromised.
“The number and frequency of significant data breaches over the past few years have proven there’s a clear need for mandatory reporting,” Commissioner Daniel Therrien said. “Mandatory breach reporting and notification will create an incentive for organizations to take security more seriously and bring enhanced transparency and accountability to how organizations manage personal information.”
A statement from the commissioner’s page lists, in brief, the new regulations for organizations subject to PIPEDA:
-
Report to the Privacy Commissioner’s office any breach of security safeguards where it creates a “real risk of significant harm;”
-
Notify individuals affected by a breach of security safeguards where there is a real risk of significant harm;
-
Keep records of all breaches of security safeguards that affect the personal information under their control; and
-
Keep those records for two years.
Commissioner Therrien called the regulations “imperfect but a step in the right direction.”
He also raised concerns that the reporting requirements fall short in that, for example, they don’t ensure the breach reports to his office provide the information necessary to assess the quality of organizations’ safeguards. As well, the Canadian government has not provided the Privacy Commissioner’s office with resources to analyze breach reports, provide advice and verify compliance. As a result, the office’s work will be somewhat superficial and the regime will be less effective in protecting privacy.
According to the PIPEDA information page:
The individual has a right to access personal information held by an organization and to challenge its accuracy, if need be. Personal information can only be used for the purposes for which it was collected. If an organization is going to use it for another purpose, consent must be obtained again. Individuals should also be assured that their information will be protected by appropriate safeguards.
Additionally, a privacy toolkit is available here for organizations to live up to its PIPEDA responsibilities.
Justin Smulison authored this post.