• First Reference
  • About us
  • Contact us
  • Blog Signup 📨

First Reference Talks

Discussions on Human Resources, Employment Law, Payroll and Internal Controls

  • Home
  • About
  • Archives
  • Resources
  • Buy Policies
You are here: Home / Business / Government of Canada publishes proposed Breach of Security Safeguards Regulations

By Occasional Contributors | 2 Minutes Read September 21, 2017

Government of Canada publishes proposed Breach of Security Safeguards Regulations

Breach of Security Safeguards RegulationsOn September 2, 2017, the Government of Canada published proposed Breach of Security Safeguards Regulations. The proposed regulations relate to the provisions in Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”), which are not yet in force. The PIPEDA provisions will require an organization to notify affected individuals, and report to the Office of the Privacy Commissioner of Canada (“OPC”), as soon as feasible, regarding any data breach which poses a “real risk of significant harm” to any individual whose personal information was involved in the breach. The breach provisions in PIPEDA specify that such notification and reporting must be done in accordance with regulations passed pursuant to PIPEDA. Representations on the proposed regulations may be submitted up to October 2, 2017.

Failure to notify the OPC of a security breach, as required by the PIPEDA provisions yet to come into force, is an offence, punishable by a fine of up to $100,000. PIPEDA also contains a private right of action for affected individuals, which could result in damages being awarded by the Federal Court of Canada for failure to notify affected individuals. This private right of action also opens the door to potential class actions for an organization’s failure to comply with the breach notification provisions in PIPEDA.

The breach provisions in PIPEDA also require organizations to notify any other organization that may be able to mitigate harm to affected individuals, for example, service providers and law enforcement entities. In addition, organizations must maintain a record of any data breach and provide the record to the OPC upon request1

The proposed Breach Regulations specify that reports to the OPC must be in writing and must contain certain stipulated information, such as a description of the circumstances of the breach, the date or time period of the breach, an estimate of the number of affected individuals, a description of the steps taken to reduce the risk of harm, and a description of the organization’s notification or intended notification steps.

Notification to affected individuals must include similar information as provided to the OPC, and must also include:

  • a toll-free number or email address that affected individuals can use to obtain further information about the breach; and
  • information about the organization’s internal complaint process and about the affected individual’s right to file a complaint with the OPC.

Acceptable methods of direct and indirect notification to individuals are also set out in the proposed Breach Regulations. Indirect notification may be given in circumstances such as where the giving of direct notification would cause further harm to the affected individual, where the organization does not have the current contact information for affected individuals, or where the cost of giving direct notification is prohibitive for the organization.

We expect that consumer advocacy organizations may object to the inclusion of a cost factor for organizations in the proposed Breach Regulations, so it remains to be seen whether this part of the proposed regulations will ultimately survive.

By: Tamara Hunter and Kelly Friedman, DLA Piper

  • About
  • Latest Posts
Occasional Contributors
In addition to our regular guest bloggers, First Reference Talks blog published by First Reference, provides occasional guest post opportunities from various subject matter experts on the topics of human resources, employment/labour law, internal controls, information technology, not-for-profit, business, privacy, tax, finance and accounting, and accessibility in Canada among others. If you are a subject matter expert and would like to become an occasional blogger, please contact us. If you liked this post, subscribe to First Reference Talks blog to get regular updates.
Latest posts by Occasional Contributors (see all)
  • Corporations Canada and new transparency about federal non-profit corporations under the CNCA and new fees for certain documents - December 21, 2022
  • How much should a Canadian registered charity spend on administration? - November 30, 2022
  • Finance proposes changes to disbursement quota for charities and some increased transparency - November 11, 2022

Article by Occasional Contributors / Business, Information Technology, Privacy / Office of the Privacy Commissioner of Canada, Personal Information Protection and Electronic Documents Act, PIPEDA, privacy law

Share with a friend or colleague

Get the Latest Posts in your Inbox for Free!

Electronic monitoring

About Occasional Contributors

In addition to our regular guest bloggers, First Reference Talks blog published by First Reference, provides occasional guest post opportunities from various subject matter experts on the topics of human resources, employment/labour law, internal controls, information technology, not-for-profit, business, privacy, tax, finance and accounting, and accessibility in Canada among others. If you are a subject matter expert and would like to become an occasional blogger, please contact us. If you liked this post, subscribe to First Reference Talks blog to get regular updates.

Footer

About us

Established in 1995, First Reference is the leading publisher of up to date, practical and authoritative HR compliance and policy databases that are essential to ensure organizations meet their due diligence and duty of care requirements.

First Reference Talks

  • Home
  • About
  • Archives
  • Resources
  • Buy Policies

Main Menu

  • About First Reference
  • Resources
  • Contact us
  • 1 800 750 8175

Stay Connected

  • Facebook
  • LinkedIn
  • Twitter
  • YouTube

We welcome your comments on our blog articles. However, we do not respond to specific legal questions in this space.
We do not provide any form of legal advice or legal opinion. Please consult a lawyer in your jurisdiction or try one of our products.


Copyright © 2009 - 2023 · First Reference Inc. · All Rights Reserved
Legal and Copyright Notices · Publisher's Disclaimer · Privacy Policy · Accessibility Policy