Back Version française
Business Law, Intellectual Property, Litigation

Important amendments to PIPEDA

Sep 6th, 2018

By Frank M. Schlesinger

In 2015 amendments were made to Canada’s Personal Information Protection and Electronics Document Act (PIPEDA) by The Digital Privacy Act.

The new provisions, consisting principally of articles relating to the reporting of breaches of security safeguards, will come into force November 1, 2018.

The new amendments state that: “An organization shall report to the Commissioner any breach of security safeguards involving personal information under its control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual.

In addition, “The organization shall notify an individual of any such breach, if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual.

In both cases the notification shall take place, “as soon as feasible after the organization determines that the breach has occurred.”

Please note that under GDPR (The General Data Protection Rules) of the European Community, which applies to any personal data of European Union residents or citizens, the breach must be reported within seventy-two (72) hours.

The definition of “significant harm” includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effect on the credit report and damages to or loss of property.

In order to determine the real risk of significant harm, the organization must consider:

  1. The sensitivity of the information involved in the breach;
  2. The probability that the information will be misused; and
  3. Other prescribed factors.

The regulations indicate the form and manner of making these notices.

It is strongly recommended that every organization subject to PIPEDA take the necessary measures to protect personal information using state of the art methods.

Organizations in Quebec should also be aware of an Act Respecting the Protection of Personal Information in the Private Sector, Quebec, Chapter P-39.1, which also contains many provisions concerning confidentiality and protection of personal information.

We would be pleased to assist you in determining whether any of the above applies to your organization and what measures should be put into place.