Found in Translation: New PIPEDA Data Breach Reporting and Notification Requirements-What You Need to Know

Written By: Dr. Gabriella Chan Is my information safe? Do you remember every account you’ve ever created or every point of contact you’ve made online that required your personal email address or your mother’s maiden name to receive a “free” …

Written By: Dr. Gabriella Chan

Is my information safe?

Do you remember every account you’ve ever created or every point of contact you’ve made online that required your personal email address or your mother’s maiden name to receive a “free” product? Probably not. The reality is that we don’t have any idea what kind of personal information about us is floating on the web, who has it, and what they can do with it. We either place our blind trust in these organizations to keep our information secure, or worse yet, we don’t even give it a second thought – until a data breach is publicized through the media.

Perhaps the companies in the health sector might be a slight exception. We tend to be more aware of the implications of having our personal health information fall into the wrong hands, so we have higher expectations that custodians of our health information safeguard it accordingly. Privacy regulation of personal health information is a provincial matter. In Ontario, the Personal Health Information Protection Act (PHIPA) sets the rules around the collection, use and disclosure of individuals’ personal health information.

On a broader scale, to ensure adequate measures are taken to protect Canadians’ personal information, there is legislation in place. The Personal Information Protection and Electronic Documents Act (PIPEDA) provides the privacy legislation framework for Canadian organizations in the private sector. PIPEDA requires organizations to protect the personal information they’ve collected about an identifiable individual. Ontario’s PHIPA has been declared substantially similar to PIPEDA.

On November 1st 2018, an amendment to PIPEDA came into effect that imposes certain obligations on organizations that experience a breach of the security protecting personal information in their custody. This amendment requires three points of action:

  1. Reporting the breach to the Office of the Privacy Commissioner
  2. Notifying individuals and other organizations affected by the breach
  3. Maintaining accurate records of every data breach

These added requirements reflect Canada’s respect for the privacy of personal information. Organizations will have to implement or update their handling practices to ensure compliance with the new legislation.

You can read my full post on what these changes mean for you, here. This is a comprehensive overview explaining what a breach of data is, when to report it, how to follow the notification obligations, and the requirements on record-keeping.