The federal government has finally announced, by Order in Council, the long-awaited implementation date for Canada’s new mandatory breach notification regime.
Mandatory report to the Office of the Federal Privacy Commissioner
Beginning November 1, 2018, organizations will have to report to the Office of the Federal Privacy Commissioner any breach of security safeguards involving personal information under its control if it is reasonable to believe it creates “a real risk of significant harm to an individual.”
Last September, Ottawa made public its proposed regulations prescribing what information must be included in that report. The regulations also force organizations to notify individuals targeted by such a breach, and prescribe how they should be notified and the manner in which indirect notification can be made.
According to the Ministry of Innovation, Science and Economic Development, the final regulations will be published on April 18, and will have taken into account comments received on the draft regulations.
Also according to the Ministry, those final regulations provide for a transition period of just over 6 months before their coming into force on November 1, 2018.
Mandatory record-keeping period
They also impose a mandatory record-keeping period following the data breach — 24 months from the day when the organization has become aware of the breach.
The new regime has been in the works since the government introduced major amendments to Canada’s privacy law (PIPEDA) governing the private sector, with the adoption of the Digital Privacy Act in 2015.
PIPEDA does not apply to organizations whose operations take place entirely within provinces that have their own privacy legislation deemed “substantially similar”. Québec, Alberta and British Columbia have such privacy laws in place.
The publication of the Order in Council comes at a time when major data breaches have captured headlines. Meanwhile, businesses are bracing for the coming into force next month of the EU’s own data breach notification requirements under the General Data Protection Regulation (GDPR).
We will provide further details about the extent of notification responsibilities in an article shortly.