The Government of Canada published the final version of its breach of security safeguards regulations on April 18, 2018 as an amendment to the Personal Information Protection and Electronic Documents Act (PIPEDA) of 2000.
- Report the breach to the Privacy Commissioner of Canada.
- Give notice of the breach to affected individuals.
- Maintain records of data breaches.
PIPEDA is a federal statute and currently, BC’s privacy legislation does not require data breach reporting. However, if your business engages in inter-provincial and international transactions you must comply with the the data breach notification under PIPEDA.
So, what is a data breach according to PIPEDA?
A breach of security safeguards refers to “the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards that are referred to in clause 4.7 of Schedule 1 or from a failure to establish those safeguards.”
Organizations must implement safeguards that protect personal information from:
- Loss or theft
- Unauthorized access
- Use
- Disclosure
- Copying
- Modification
Under the new rules, organizations must notify individuals “as soon as feasible” after a breach has occurred. Failing to report a data breach, or deliberately failing to keep a record of the data breach, can lead to fines of up to $100,000 for each offense. Organizations must keep records of security breaches for at least two years after discovery.
To determine what sensitive information needs to be safeguarded consider the impact of a potential breach. Could a breach at your organization result in significant harm, such as bodily harm, humiliation, damage to reputation, financial loss, credit record, loss of employment or relationship?
Smart Dolphins can assist you in protecting your client’s personal information by delivering a technology solution that helps prevent security breaches and ensures technical compliance with the PIPEDA.