Canadian PIPEDA Updated: Companies Obliged to Report Data Breaches
From November 1st, Canadian companies are obliged to record and notify Canada’s Office of the Privacy Commissioner about data breaches, as the change to the federal Personal Information Protection and Electronics Act (PIPEDA) took effect.
1. One of the main objectives of PIPEDA is to “ensure that the Commissioner is able to provide effective oversight and verify that organizations are complying with the requirements.”
2. The notification obliges companies to keep the records of breaches for over two years. Such record should contain the date of estimated breach, a description and nature of the breach circumstances; and whether the breach was reported to Canada’s privacy commissioner.
3. The Office of the Privacy Commission of Canada doesn’t specify any penalties or fines. Although, “A failure to comply with these rules could result in regulatory and criminal proceedings,” said Alex Cameron, head of the privacy and cybersecurity practice at Fasken Martineau DuMoulin.
4. The change should mitigate substantial financial damages caused by data breaches.
From November 1st, Canadian companies are obliged to record and notify Canada’s Office of the Privacy Commissioner about data breaches, as the change to the federal Personal Information Protection and Electronics Act (PIPEDA) took effect.
1. One of the main objectives of PIPEDA is to “ensure that the Commissioner is able to provide effective oversight and verify that organizations are complying with the requirements.”
2. The notification obliges companies to keep the records of breaches for over two years. Such record should contain the date of estimated breach, a description and nature of the breach circumstances; and whether the breach was reported to Canada’s privacy commissioner.
3. The Office of the Privacy Commission of Canada doesn’t specify any penalties or fines. Although, “A failure to comply with these rules could result in regulatory and criminal proceedings,” said Alex Cameron, head of the privacy and cybersecurity practice at Fasken Martineau DuMoulin.
4. The change should mitigate substantial financial damages caused by data breaches.