Back Version française

In 2015 amendments were made to Canada’s Personal Informat Protection and Electronics Document Act (PIPEDA) by The Digital Priva Act.

The new provisions, consisting principally of articles relating to the report of breaches of security safeguards, will come into force November 1, 2018.

The new amendments state that: “An organization shall report to t Commissioner any breach of security safeguards involving person information under its control if it is reasonable in the circumstances to belie that the breach creates a real risk of significant harm to an individual.”

In addition, “The organization shall notify an individual of any such breach, is reasonable in the circumstances to believe that the breach creates a r risk of significant harm to the individual.”

In both cases the notification shall take place, “as soon as feasible after t organization determines that the breach has occurred.”

Please note that under GDPR (The General Data Protection Rules) of t European Community, which applies to any personal data of European Un residents or citizens, the breach must be reported within seventy-two (7 hours.

The definition of “significant harm” includes bodily harm, humiliation, dama to reputation or relationships, loss of employment, business or professio opportunities, financial loss, identity theft, negative effect on the credit rep and damages to or loss of property.

In order to determine the real risk of significant harm, the organization must consider:

1. The sensitivity of the information involved in the breach;
2. The probability that the information will be misused; and
3. Other prescribed factors.

The regulations indicate the form and manner of making these notices.

It is strongly recommended that every organization subject to PIPEDA take the necessary measures to protect personal information using state of the art methods.

Organizations in Quebec should also be aware of an Act Respecting the Protection of Personal Information in the Private Sector, Quebec, Chapter P­39.1, which also contains many provisions concerning confidentiality and protection of personal information.

We would be pleased to assist you in determining whether any of the above applies to your organization and what measures should be put into place.