The federal government has finally announced, by Order in Council, the long-awaited implementation date for Canada’s new mandatory breach notification regime.

Mandatory report to the Office of the Federal Privacy Commissioner

Beginning November 1, 2018, organizations will have to report to the Office of the Federal Privacy Commissioner any breach of security safeguards involving personal information under its control if it is reasonable to believe it creates “a real risk of significant harm to an individual.”

Last September, Ottawa made public its proposed regulations prescribing what information must be included in that report. The regulations also force organizations to notify individuals targeted by such a breach, and prescribe how they should be notified and the manner in which indirect notification can be made.

Mandatory record-keeping period

They also impose a mandatory record-keeping period following the data breach — 24 months from the day when the organization has become aware of the breach.

The new regime has been in the works since the government introduced major amendments to Canada’s privacy law (PIPEDA) governing the private sector, with the adoption of the Digital Privacy Act in 2015.

Concrete application

PIPEDA does not apply to organizations whose operations take place entirely within provinces that have their own privacy legislation deemed “substantially similar”. Québec, Alberta and British Columbia have such privacy laws in place.

The publication of the Order in Council comes at a time when major data breaches have captured headlines. Meanwhile, businesses are bracing for the coming into force next month of the EU’s own data breach notification requirements under the General Data Protection Regulation (GDPR).