• About
  • Offices
  • Careers
  • News
  • Students
  • Alumni
  • Payments
Background Image
Bennett Jones Logo 100 Years
  • People
  • Expertise
  • Knowledge
  • Search
  • Menu
  • Search Mobile
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
View all
Practices
Corporate Litigation Regulatory Tax View all
Industries
Capital Projects Energy Funds & Finance Mining View all
Advisory
Crisis & Risk Management Environmental, Social & Governance (ESG) Governmental Affairs & Public Policy
View Client Work
Insights News Events
New Energy Economy Series COVID-19 Resource Centre Business Law Talks Podcast
Subscribe
Bennett Jones Centennial Menu
People
Practices
Industries
Advisory Services
Client Work
About
Offices
News
Careers
Insights
Law Students
Events
Search
Alumni
Payments
Subscribe

Stay informed on the latest business and legal insights and events.

LinkedIn LinkedIn Twitter Twitter Vimeo Vimeo
 
Blog

Proposed Breach of Security Safeguards Regulations Under PIPEDA have been Released

September 07, 2017

Written by Sebastien Gittens, Stephen Burns, and Martin Kratz QC

The Canadian federal government released the proposed Breach of Security Safeguards Regulations under Personal Information Protection and Electronic Documents Act (PIPEDA) on September 2, 2017.

Not yet in force, these Regulations set out the:

  1. content, form and manner of a report to the Commissioner of a breach under PIPEDA;
  2. content of notification to affected individuals;
  3. manner of direct notification;
  4. circumstances permitting indirect notification;
  5. manner of indirect notification; and
  6. record-keeping requirements.

Introduction

PIPEDA currently defines "breach of security safeguards" as a loss or unauthorized access or disclosure of personal information that results from either the breach of an organization's security safeguards, or an organization's failure to establish these safeguards.

PIPEDA and the proposed Regulations will require that organizations report to both the Commissioner and the individual in question where it is reasonable in the circumstances to believe that the breach creates a "real risk of significant harm" to an individual.  PIPEDA sets out the factors relevant to consider in determining whether there is a "real risk of significant harm", and what constitutes "significant harm" as including the sensitivity of the personal information involved in the breach, the probability that the personal information has been, is being, or will be misused, and other factors identified by regulation. PIPEDA also provides that the notification shall be given as soon as feasible after the organization determines that the breach has occurred.

Organizations must also notify other organizations and governmental institutions if such organizations or institutions may be able to mitigate harm.

These and other obligations are backed up by compliance and enforcement measures, including the Commissioner's ability to enter into "compliance agreements" with organizations, and to apply to the Court for an order directing an organization to comply.

Content, Form, and Manner of a Report

The proposed Regulations state that any report to the Commissioner must contain:

  1. a description of the circumstances and cause of the breach;
  2. the date or period of the breach;
  3. a description of the personal information that is the subject of the breach;
  4. an estimate of how many people are exposed to a "real risk of significant harm";
  5. a description of what the organization has done to reduce and mitigate harm;
  6. a description of what the organization has or intends to do to notify each affected individual; and
  7. contact information of a person who can answer the Commissioner's questions about the breach.

Content and Manner of a Notification

Similarly, the proposed Regulations will require that the notification to an affected individual contain:

  1. a description of the circumstances of the breach;
  2. the date or period of the breach;
  3. a description of the personal information that is the subject of the breach;
  4. a description of what the organization has done to reduce and mitigate harm;
  5. a description of what the affected individual could do to reduce and mitigate harm;
  6. a toll-free number or email address that the affected individual can use to obtain further information about the breach; and
  7. information about the organization's internal complaint process and about the affected individual's right, under PIPEDA, to file a complaint with the Commissioner.

The proposed Regulations also provide, among other things, details regarding the manner in which organizations can directly notify affected individuals, and when organizations can rely on indirect notification.

Record-Keeping Requirements

Finally, organizations will, if the Regulations come into force, be required to maintain a record of every breach of security safeguards for 24 months after the day on which the organization determines that the breach has occurred.

The federal government will be collecting feedback on the draft Regulations until October 2, 2017. The final Regulations are expected to come into effect after the government has considered such feedback. In the interim, the draft Regulations give some much-awaited clarity with respect to the breach notification requirements contemplated by the federal government under PIPEDA.

PDF Download

Authors

  • J. Sébastien A. Gittens J. Sébastien A. Gittens, Partner, Trademark Agent
  • Stephen D. Burns Stephen D. Burns, Partner, Trademark Agent

Bennett Jones Marks 100 Years of Service and Trust

Related Links

  • Insights
  • Media
  • Subscribe

Recent Posts

Blog

UPDATED Canadian Sanctions Targeting Russia, Belarus [...]

June 29, 2022
       

Blog

National Indigenous Economic Strategy Rebuilding Indigenous Economies

June 24, 2022
       

Blog

Achieving Net Zero by 2050: The MMV Plan as a Fundamental [...]

June 23, 2022
       

Blog

Anti-Money Laundering Rules Expanded to Include Payment [...]

June 21, 2022
       

Blog

Alberta Court Declines to Extend Limitation Period [...]

June 20, 2022
       
Bennett Jones Centennial Footer 100 Years
Bennett Jones Centennial Footer 100 Years
About
  • Leadership
  • Diversity
  • Community
  • Innovation
  • Security
  • History
Offices
  • Calgary
  • Edmonton
  • Ottawa
  • Toronto
  • Vancouver
  • New York
Connect
  • Insights
  • News
  • Events
  • Careers
  • Students
  • Alumni
Subscribe

Stay informed on the latest business and legal insights and events.

LinkedIn LinkedIn Twitter Twitter Vimeo Vimeo
© Bennett Jones LLP 2022. All rights reserved.
  • Privacy Policy
  • Disclaimer
  • Terms of Use
Logo Bennett Jones