Companies subject to the Personal Information Protection and Electronic Documents Act (the “PIPEDA“) will now need to satisfy the reporting and record-keeping obligations under Canada’s new data breach reporting law.
Reporting Threshold – a “real risk of significant harm”
We previously reported on this when the draft guidance was made available. PIPEDA requires the organizations to report every ‘breach of security safeguards’ involving personal information under their control if it is reasonable to believe the breach creates a ‘real risk of significant harm.’ One addition that is worth noting is the requirement to keep sufficient records of the organization’s real risk of significant harm analysis such that the Office of the Privacy Commissioner of Canada (the “OPC”) could perform a review of the analysis.
Timing – as soon as feasible
Organizations must report a breach as soon as feasible after the breach. This is true even if not all information about the incident is known.
Who gets the notice? – OPC, Individuals, and Other Relevant Organizations
In addition to OPC, when there is real risk of significant harm to individuals, they must be made aware of the breach as soon as possible. Additionally, other relevant organizations, such as law enforcement agencies or e.g. financial institutions in cases of payment data breach will also need to be notified.
How OneTrust Helps – Record Keeping
It’s clear that incident and breach management is continuing to be an important factor for privacy programs across the globe. OneTrust’s Incident and Breach Management solution can help you maintain incident and breach records, evaluate against notification requirements and analyze overall risk with connections to the underlying data inventory. Use OneTrust to record:
- Date or estimated date of the breach;
- General description of the circumstances of the breach;
- Nature of information involved in the breach;
- Whether or not the breach was reported to the Privacy Commissioner of Canada/individuals were notified; and
- If the breach was not reported to the Privacy Commissioner/individuals, a brief explanation of why the breach was determined not to pose a “real risk of significant harm.”
OneTrust’s Privacy Team provides research built into the software that covers many jurisdictions to ensure customers have the most up-to-date information to make smart decisions quickly.