The Digital Privacy Act, which received royal assent on 18 June 2015, amended Canada's private sector privacy law, the Personal Information Protection and Electronic Documents Act (the "PIPEDA"). Such amendments include the requirement that private sector organisations should notify individuals when their personal data has been lost or stolen ("Notifications to Individuals") and the requirement to report such potential data breaches to the Office of the Privacy Commissioner of Canada (the "OPC Report"). The new data breach requirements in PIPEDA have yet to come into force, pending the proposed data breach notification and reporting regulations (the "Data Breach Regulations").

On 9 March 2016, the Department of Innovation, Science and Economic Development issued a discussion paper to obtain input and views on the Data Breach Regulations (the "Discussion Paper"). Public submissions can be submitted until 31 May 2016. The Discussion Paper deals with a number of issues, including the following:

  1. whether certain industries should be subject to specific regulation;
  2. what record keeping requirements should be implemented;
  3. when an organisation undertakes a risk assessment, should the risk of harm be presumed to be low for encrypted data;
  4. what should the form and content of OPC Reports be;
  5. what should the form and content of Notifications to Individuals be; and
  6. should there be any specific circumstances where reporting to third parties should be required.

Following this discussion process, the Canadian government will publish a set of draft regulations in Part 1 of the Canada Gazette for public comment and consultation and subsequently final regulations will be published in Part 2 of the Canada Gazette and the new data breach requirements in PIPEDA will be brought into force.

Organisations may wish to submit a response to the Discussion Paper.

To view the text of the Discussion paper, please click here.