PIPEDA Mandatory Breach Reporting Guidelines

On September 17, 2018, the Office of the Privacy Commissioner of Canada (OPCC) published draft guidelines on mandatory breach reporting under the Personal Information Protection and Electronic Documents Act (PIPEDA). A final version of the guidelines will be published in October upon reviewing feedback from stakeholders. The guidelines are intended to assist organizations in meeting breach reporting and recordkeeping obligations set out in the Breach of Security Safeguards Regulations under PIPEDA, which come into force on November 1, 2018.

Come November, where it is reasonable in the circumstances to believe that a data breach creates a “real risk of significant harm” to affected individuals, an organization must report the breach to the OPCC as well as notify affected individuals. Other organizations and government institutions must also be notified where such organizations or institutions may be able to mitigate or reduce the risk of harm to those affected. Organizations must also maintain records of all breaches of security safeguards regardless of whether they meet the harm threshold for reporting.

Failure to report a breach or to maintain records as required is an offence under PIPEDA, punishable by a fine of up to CDN $100,000.

The draft guidelines provide regulator advice in certain areas, including whether service providers have an obligation to report breaches to the OPCC and the types of harm that will be considered “significant”. The guidelines also provide a report form that organizations may use to report a breach. Certain fields on the form are marked as mandatory and others as optional. Organizations will be required to share the risk mitigation steps they have taken.

PRIVATECH will be hosting a series of webinars to discuss the guidelines and their impact on organizations’ breach response plans. Visit  www.PIPEDABreach.com for more information, including dates, a webinar brochure and to register! Space is limited.