[HR] Is Your Business Ready for PIPEDA’s Privacy Breach Recording Obligation?
The Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal privacy law for private-sector organizations. It sets out the ground rules for how businesses must handle personal information in the course of commercial activity. PIPEDA applies to the collection, use or disclosure of personal information in the course of a commercial activity.
Effective Nov 1, 2018, businesses that have a privacy breach must give notice of the breach under PIPEDA – the privacy legislation affecting the private sector in most Canadian provinces. The final regulations containing the details are about to be published.
Here’s what you need to know:
When to report – If there is a privacy breach that “creates a real risk of significant harm to an individual”. That includes bodily harm, humiliation, damage to reputation, financial loss, identity theft. Risk factors to decide the reporting threshold are provided. The report must be made “as soon as feasible after the organization determines that the breach has occurred.”
What to report – Circumstances of the breach, when it happened, what information was breached, steps taken to reduce the risk of harm, steps individuals can take to reduce risk, contact information.
Who to report to – The Privacy Commissioner, the individuals, and third parties that “may be able to reduce the risk of harm.” (This will require some internal consultation & thought).
What else to do – Businesses must maintain a “record of every breach of security safeguards involving personal information under its control.” That must be shown to the Privacy Commissioner on request. The challenge is that there is no threshold, and every breach, even trivial ones, must be recorded.
Best practice – Businesses should review their privacy policies and processes and amend as needed. Record keeping systems must be put in place for recording all breaches. A breach reporting and incident response process should be put in place.
Penalties – Failure to report when required, and failure to keep the breach records can result in a penalty of up to $100,000.