November 8, 2019
By Amanda Branch
It has been one full year of mandatory data breach reporting under the Personal Information Protection and Electronics Documents Act (PIPEDA). The Office of the Privacy Commissioner of Canada (the OPC) has written a blog post, setting out observations of what it has learned over the past year and what businesses need to know.
Mandatory breach notification under PIPEDA came in to force on November 1, 2018. Before that time, breach reporting to the OPC was done on a voluntary basis. Since November 2018, organizations subject to PIPEDA who suffer a breach of security safeguards that gives rise to a "real risk of significant harm" are required to (i) report the incident to the Office of the Privacy Commissioner of Canada; (ii) notify affected individuals; and (iii) notify any other third party that is in a position to mitigate the risk of harm to affected individuals. While organizations are not required to report a breach that does not give rise to a real risk of significant harm, they are required to keep a record of all breaches for a minimum of two years – and the OPC has the authority to proactively inspect those records.
Looking at the numbers
Here are some key statistics:
Employee snooping and social engineering hacks are the key factors behind breaches resulting from unauthorized access. “Accidental disclosure” occurred in instances where documents containing personal information were provided to the wrong individual or were left behind accidentally.
Tips from the OPC – preventing and responding to a breach.
The OPC has provided some helpful tips for organizations to keep in mind.
First, help reduce privacy breaches at your organization:
If your organization does suffer a data breach, the OPC has the following tips on how to respond:
Please see here for our article on the OPC’s mandatory breach reporting guidance for organizations.
Information on this website is for information only. It is not, and should not be taken as, legal advice. You should not rely on, or take or not take any action, based upon this information. Professional legal advice should be promptly obtained. Bereskin & Parr LLP professionals will be pleased to advise you.