By Eduard Goodman
After years and several failed attempts, the Canadian government has successfully passed a federal data breach notification requirement.
The Digital Privacy Act, which received Royal Ascent June 18, amends the Personal Information Protection and Electronic Documents Act (PIPEDA) to include an affirmative duty to notify the Office of the Privacy Commissioner of Canada’s office, as well as individuals impacted by the breach.
While affirmative obligations have existed in a few provinces such as Alberta, Manitoba and Ontario (for health data), the requirements to notify the federal office or other provincial data protection and privacy authorities was simply a ‘recommendation.’
The Digital Privacy Act will specifically require that an entity notify the Office of the Privacy Commissioner and impacted individuals in “any breach of security safeguards involving personal information under [their] control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual.”
Obviously what constitutes a “risk of significant harm” is open to some level of interpretation, and clarification provided expands by defining it as a wide variety of risks including, “… bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.”
The details still need to be clarified through additional regulations that will be developed in the near future. It is also not exactly clear when the law will go into effect. What is clear is that knowing violations—whether they’re a failure to keep records of security breaches impacting privacy or failure to notify the commissioner and impacted parties—will eventually expose an entity to C$100,000 per violation.
This is a developing regulation that will need to be tracked as various parts of it are clarified and implemented which means there is certainly more to come.
Eduard Goodman is chief privacy officer at IDT911.