Since Nov. 1, 2018, Canada’s federal Personal Information Protection and Electronic Documents Act (PIPEDA) requires organizations that suffer a data breach involving personal information to:
- Report the breach to the Office of the Privacy Commissioner of Canada (OPC).
- Give notice of the breach to affected individuals.
- Maintain records of data breaches that affect personal information.
To help organizations better understand their obligations, the OPC recently published final guidance on the law.
The main component of PIPEDA relates to data breach reporting. When an organization suffers a breach of security safeguards involving personal information under its control and there’s reason to believe that the breach creates a real risk of significant harm to an individual, the organization must report the breach.
In its final guidance, the OPC clarified a number of concepts to help organizations better understand this requirement and what’s expected of them.
Breach of security safeguards
A breach of security safeguards is the “loss of unauthorized access to or disclosure of personal information resulting from a breach of an organization’s security safeguards or from a failure to establish those safeguards. Security safeguards include physical, organizational, and technological measures designed to protect against the loss, theft, and unauthorized access, disclosure, copying, use, or modification of personal information.
Personal information under the control of an organization
The obligation to report a hack rests with the organization that controls the personal information implicated in the breach itself.
Reporting breaches and significant harm
Only breaches that create a real risk of significant harm need to be reported to the OPC. Significant harm may include bodily harm, humiliation, damage to reputations or relationships, loss of employment, financial loss, identity theft, etc.
The format of breach reports
The OPC provides a model form organizations should use to report a breach. Organizations must submit reports as soon as feasible and must specify the date of the breach, description of the breach, the nature of the information involved in the breach, and whether or not the breach was reported to the OPC and the affected individuals.