On November 1, 2018, the mandatory breach reporting requirements under PIPEDA officially came into force.
Earlier this week, the Office of the Privacy Commissioner of Canada (OPC) also confirmed its guidance regarding PIPEDA’s new mandatory security and privacy breach notification requirements. This guidance contains helpful information regarding how and when to report breaches of security safeguards to the OPC, the corresponding notice that must be provided to individuals, and record-keeping obligations associated with such breaches.
In the finalized guidance, the OPC has provided some further clarification on responsibility for reporting of breaches when more than one organization is involved (such as when an organization has transferred information to a service provider). In particular, the OPC has confirmed that it will generally interpret the principal organization as having control of personal information and therefore responsibility for breach reporting in respect of a breach that occurs with the third party service provider. However, the OPC also emphasized that ultimately this question will need to be assessed on a case-by-case basis and that service providers continue to have a number of obligations with respect to personal information under PIPEDA.
The privacy team at MLT Aikins has assisted a number of organizations in preparing for and in dealing with breaches of security safeguards. We can help your organization ensure it is appropriately prepared for and appropriately responds to such breaches in accordance with the new requirements and thereby mitigate risks to your organization.
Note: This article is of a general nature only and is not exhaustive of all possible legal rights or remedies. In addition, laws may change over time and should be interpreted only in the context of particular circumstances such that these materials are not intended to be relied upon or taken as legal advice or opinion. Readers should consult a legal professional for specific advice in any particular situation.