April 18, 2018, Ottawa, ON
The Government of Canada believes that Canada must balance technological innovation and a strong economy with Canadians’ peace of mind knowing that their data is safe and their privacy is respected.
Today, the Government of Canada published new requirements to ensure the personal information of Canadians held by a private entity is protected and secure. The regulations, to come into force on November 1, 2018, will be implemented under the Personal Information Protection and Electronic Documents Act(PIPEDA), Canada’s private-sector privacy law. The Act applies to the collection, use or disclosure of personal information in the course of a commercial activity.
The regulations detail how businesses will alert Canadians if their personal information is lost or stolen as a result of a data security breach and how they can protect themselves and their information. The regulations also outline the financial penalties a company must pay if it fails to report.
“Our government is committed to making sure that Canadians’ personal information is protected and secure. While digitization has empowered critical innovation, it has also presented us with new and uncharted opportunities and challenges. The new regulations will make companies more accountable and empower Canadian consumers.”
– The Honourable Navdeep Bains, Minister of Innovation, Science and Economic Development
- PIPEDA was amended in 2015 to add new requirements for mandatory data breach reporting. These provisions will be brought into force on November 1, 2018, with the accompanying regulations published today.
- The statutory requirements under the Act encourage organizations to implement better information security practices and ensure that consumers are notified of breaches that may pose a risk of significant harm.
- The new regulations provide further details on how organizations must comply with the mandatory reporting obligations by:
- specifying the minimum requirements for providing a data breach report to the Privacy Commissioner;
- specifying the minimum requirements for notifying affected individuals of a data breach; and
- confirming the scope and retention period for data breach recordkeeping.