Updated privacy breach reporting requirements

Updated privacy breach reporting requirements


Effective November 1, 2018 the Government of Canada implemented new privacy breach reporting requirements related to PIPEDA. All companies (both small and large) that collect and store personal information are subject to these new regulations.

This new change requires that all companies in Ontario report any breaches to the Privacy Commissioner of Canada and that they notify any affected individuals. Companies are also required to keep records of these breaches for 2 years and could face financial penalties for failing to comply with these new rules.

A privacy breach is defined as the loss of, unauthorized access to, or disclosure of personal information. Some of the most common privacy breaches happen when personal information is stolen, lost, or mistakenly shared. A privacy breach may also be a consequence of faulty business procedures or operational breakdowns.

For more detailed information on the new requirements, see the following page from the Office of the Privacy Commissioner of Canada: https://www.priv.gc.ca/en/privacy-topics/privacy-breaches/respond-to-a-privacy-breach-at-your-business/gd_pb_201810/

We think these new requirements are a good thing and should force businesses to take security and privacy more seriously in this digital age. Businesses have known this was coming for years since this was part of the Digital Rights Act passed in June 2015.

Have questions about the security of your technology and data? Want to ensure you are complying with security and privacy best practices? Need help to determine if there are areas you can improve? Contact our office to arrange a security assessment, or to find out more about how we can help.