As we have discussed in prior Bulletins, in June 2015 the Digital Privacy Act (DPA) amended Canada’s private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA). Some of the provisions are already in force, while others required the Federal Government to take further action before the provisions came into effect. On March 26, 2018, the Federal Government issued an Order-in-Council setting November 1, 2018 as the in-force date for the DPA’s “breaches of security safeguards” provisions.

This means that, come November, most private sector firms that experience a data breach will have to, among other things:

  • Determine if the breach poses a “real risk of significant harm” to any individual whose information was involved in the breach (Affected Individuals);
  • Notify Affected Individuals and the Privacy Commissioner of Canada (Commissioner) as soon as feasible if the firm considers that the breach poses a real risk of significant harm;
  • Notify any other organization that may be able to mitigate harm to Affected Individuals; and
  • Maintain records of any data breaches that the firm becomes aware of and provide such records to the Commissioner upon request.

The Breach of Security Safeguards Regulations, which set out in more detail what, how and when firms should disclose, report and keep records of data breaches, also comes into effect on November 1.

This phase in the implementation of privacy rules comes as firms, individuals, governments and regulators face challenging scenarios about online privacy and companies’ ability to keep individuals’ personal data secure. The countdown clock is ticking loudly. Now is the time to assess whether your firm has adequate policies, procedures, and internal controls to meet these new requirements. We are happy to assist you in getting ready for the new regime.