New Mandatory Breach Reporting Requirements under PIPEDA: Getting Prepared

On November 1, 2018 the new Personal Information Protection and Electronic Documents Act (PIPEDA) regulations come into effect. PIPEDA applies to the collection, use or disclosure of personal information in the course of a commercial activity. If your operation is based in British Columbia (BC) and you only collect, use and disclose personal information in BC, you’re governed by the Personal Information Protection Act (PIPA) of BC. However, if you are a BC based operation but have any cross-provincial or cross-border activities, the new PIPEDA regulations will apply to your organization.

The new regulations were issued in the spring of 2018 where the Canadian government published its final regulations on mandatory reporting of privacy breaches under Canada’s federal data protection law. These new PIPEDA regulations come into effect November 1, 2018.

The New PIPEDA Requirements

Where it is reasonable to believe that the breach creates a real risk of significant harm to an individual, organizations subject to PIPEDA will be required to notify:

• The Commissioner
• The individual
• Other organizations and/or government

Organizations must also keep records of ALL breaches even if it is deemed that the breach does not pose a significant threat/harm. Significant harm as defined in PIPEDA at a minimum includes:

• Bodily harm
• Humiliation
• Damage to reputation or relationships
• Loss of employment
• Business or professional opportunities
• Financial loss
• Identity theft
• Negative effects on the credit record and damage to or loss of property

Employer Responsibilities

Have a breach response plan in place. Some key areas to include in your plan:

• Points of access
• Information to collect and store
• Where to house information and how to access it
• IT infrastructure and plan
• Incident response steps and procedures

Notify the Commissioner, individuals, other organizations and/or the government “as soon as feasible after the breach occurred”. From a legal and regulatory perspective, as soon as it is reasonably possible for you to identify what happened and determine whether there was significant harm, you must engage in the steps of notifying the Commissioner, individual and other organizations/government immediately.

Document management is crucial! You must maintain a record of every breach of security safeguards for 24 months.

Review your existing policies and ensure that it remains compliant with privacy laws/regulations.

Train your employees on data breach risks and reporting obligations under the new legislation and requirements.

Important PIPEDA Links

Breach of Security Safeguards Regulations:

http://www.gazette.gc.ca/rp-pr/p2/2018/2018-04-18/html/sor-dors64-eng.html

PIPEDA Compliance Guidance and Tips:

https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda-compliance-help/

The new PIPEDA regulations will impact businesses. Non-compliance of the new mandatory breach reporting regime can result in significant fines and penalties for failing to report. So adopt best practices to abide by the PIPEDA regulations and exercise your due diligence as an employer.

Disclaimer: Please be aware that information provided in this blog is subject to change. We recommend that you do not take any information held within as a definitive guide to the law or the relevant matter being discussed. You are advised to seek legal or professional advice where necessary. Due to the nature of the matters discussed in this blog, the information contained within it and any pages linked to/from it are clearly subject to change, without warning.

We’d love to help you build and strengthen your people practices! Contact us for your free consultation to learn more about what HR services and support we can offer your company –  https://upskillconsulting.ca/contact/

• Author
• Recent Posts

Sofia Arisheh

Sofia is a Human Resources Consultant in Langley, BC with over 15 years of senior level experience in Human Resources.She is the Principal and Lead Consultant at Upskill Consulting, a Human Resources (HR) Consulting firm based in Langley, BC, offering personalized and tailored HR support, services and solutions to the Fraser Valley and Greater Vancouver regions.

Throughout Sofia's career she has engaged in various functions of HR, always with a mindset of translating business strategy into systematic HR initiatives. Her HR experience has involved overseeing day-to-day operations, developing HR strategies, leading organizational changes and partnering with leadership to drive and deliver on HR principles and business strategies.

Her specialization in HR includes training and capability development, performance management, employee engagement, change management and organizational development.

Sofia has a Bachelor of Arts Degree in Psychology from Simon Fraser University,a Post-Baccalaureate Diploma in Human Resources Management from Kwantlen Polytechnic University and holds her Chartered Professional in Human Resources (CPHR) designation.

Latest posts by Sofia Arisheh (see all)

• Bridging the Leadership Gap: The Power of Facilitated Learning in Evolving Expertise - March 11, 2024
• Unlocking Potential: The 3-2-1 Approach to Transformative Leadership - January 17, 2024
• Elevate Your Business with Effective Performance Management - December 27, 2023