As of November 1st 2018, organizations subject to The Personal Information Protection and Electronic Documents Act (PIPEDA) will be required to:
- report to the Privacy Commissioner of Canada breaches of security safeguards involving personal information that pose a real risk of significant harm to individuals
- notify affected individuals about those breaches, and
- keep records of all breaches.
So simply dealing with a potentially harmful privacy breach when and if it happens is not sufficient compliance.The Commissioner can ask to see that breach record at any time. Failure to comply with the recording and notification requirements can result in a penalty of up to $100,000.From a practical perspective, it means that there must be awareness by staff about what a breach of security safeguards is, and who to tell about it. It can’t be based only on complaints.The Privacy Commissioner has published guidance on this. This guidance will provide an overview of what you need to know about these obligations.
What is a breach of security safeguards?
A “breach of security safeguards” is defined in PIPEDA as: the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards that are referred to in clause 4.7 of Schedule 1 of PIPEDA, or from a failure to establish those safeguards.
Does this apply to small businesses?
Yes. Large and small businesses all have to meet PIPEDA requirements to report and notify of breaches of real risk of significant harm, and keep records of all breaches.The chart below is an overview of the process. Be sure to follow the detailed definitions and requirements in PIPEDA.
Are there financial penalties?
Yes. Under PIPEDA it is an offence to knowingly contravene PIPEDA’s breach reporting, notification and record-keeping requirements and doing so could lead to fines.More Resources:We have written on this topic earlier this year Here's the PIPEDA Website for your referenceHere's the PIPEDA Compliance Help WebsiteCredits: Diagram courtesy of Harrison Pensa LLP