[BreachExchange] Canada: New data breach reporting requirements come into force this week

Destry Winant destry at riskbasedsecurity.com
Tue Oct 30 12:06:57 EDT 2018


Businesses have new obligations under breach of security safeguards
rules coming into force this week in Canada, says the federal Privacy

Changes to Canada's federal private sector privacy law will require
organizations to report certain breaches of security safeguards to the
Commissioner's office and to notify those affected.

"The number and frequency of significant data breaches over the past
few years have proven there's a clear need for mandatory reporting,"
says Commissioner Daniel Therrien. "Mandatory breach reporting and
notification will create an incentive for organizations to take
security more seriously and bring enhanced transparency and
accountability to how organizations manage personal information."

The Office of the Privacy Commissioner of Canada has published
guidance to help businesses comply with the new requirements as well
as a new reporting form.

The final version of the guidance was developed following a public
consultation. The Commissioner's office received 20 submissions from
various sectors on a draft version of the guidance. The Commissioner
thanks those who provided their feedback.

Under the new regulations for organizations subject to the Personal
Information Protection and Electronic Documents Act, which come into
force November 1, organizations must:

- Report to the Privacy Commissioner's office any breach of security
safeguards where it creates a "real risk of significant harm;" -
Notify individuals affected by a breach of security safeguards where
there is a real risk of significant harm; - Keep records of all
breaches of security safeguards that affect the personal information
under their control; and - Keep those records for two years.

More information about the BreachExchange mailing list