Canada’s PIPEDA Breach Notification Guidance and Considerations

The breach notification rules of Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) are now in effect. Since draft guidance was released by the government a mere six weeks ago, many organizations are scrambling to ensure compliance.

To help your team in this process, we prepared some tips and best practices:

• If your organization outsources any business function(s), determining who owns the data and who is responsible for reporting breaches can be challenging and time-consuming.
  
  • Consider engaging experienced legal counsel who may help review contracts with third parties to ensure they capture notification requirements and include clear definitions for “significant harm.”
• PIPEDA defines a breach simply as a data loss or unauthorized access or disclosure of personal information that creates significant harm. Moreover, significant harm is defined at a high level.
  • With the greater potential for a data loss to become a reportable event, it is urgent that your organization implement and test your notification procedures as soon as possible.
• Under the new rules, in the event of a data loss, your organization must notify affected individuals as well as Canada’s Privacy Commissioner. You must also keep records of breaches for two years.
  • This means that in addition to maintaining your own archival records, you must define these archival responsibilities with your third parties as well.

Watch Brian Lapidus, Managing Director and Global Breach Notification Leader in the Cyber Risk practice discuss how his global team helps to support clients surrounding various data privacy and security laws, including PIPEDA: