PIPEDA Mandatory Reporting, Amendment Effective November 1st 2018
The Personal Information Protection and Electronic Document Act (PIPEDA) was amended by the Digital Privacy Act, effective November 1, 2018. The amendments include mandatory breach notification requirements for private companies.
The requirement to report arises when an organization becomes aware of a breach that creates a risk of significant harm to an individual.
When organizations become aware of a breach, they are required to provide a written report to the Office of the Privacy Commissioner that contains:
- A description of the cause and circumstances of the breach
- The date or time period during which the breach occurred
- A description of the personal information that has been affected by the breach
- The number of individuals affected by the breach
- Steps taken to reduce the risk of harm or mitigate the harm
- Steps taken to notify affected individuals
- The name and contact information of a person the Commissioner can ask questions of concerning the breach
The same information must be provided when an organization notifies affected individuals with the exception of the cause of the breach and number of individuals affected.
Impact on Our Insureds
It is recommended that organizations prepare for these amendments prior to them coming into effect by training staff and developing or reviewing the organization’s information security breach response plan.
Violation of the breach notification requirements could result in a fine of up to $100,000 per violation.
NOTE: The Office of the Privacy Commissioner of Canada states that “our Office is of the view that, as a general rule, the Personal Information Protection and Electronic Documents Act (PIPEDA) does not apply to the core activities of municipalities, universities, schools, and hospitals”. They recommend that “private educational institutions and private hospitals” operate under the assumption that PIPEDA applies to them.
Health care providers in private practice such as doctors, dentists and chiropractors are engaged in a commercial activity and thus subject to the Act, unless substantially similar provincial legislation applies (which it does in Ontario for health information custodians).
In Ontario it may only affect PRIVATE SCHOOLS