Ottawa working on “options regarding next steps” for Canada-wide mandatory privacy breach notification

Canadian Underwriter reports:

Before the House of Commons was dissolved last summer to kick off the federal election, the ruling Conservatives passed the Digital Privacy Act, which creates new offences for failing to report data security breaches. However, nation-wide mandatory breach notification would not actually take effect unless the government develops regulations, and it is not clear whether the newly-elected Liberals plan to do this.

The Digital Privacy Act (Bill S-4 of the last session of Parliament) changes the Personal Information and Protection of Electronic Documents Act (PIPEDA) to include a new requirement for “organizations to notify certain individuals and organizations of certain breaches of security safeguards that create a real risk of significant harm and to report them to the Privacy Commissioner.” Passed into law June 18, Bill S-4 also contains a requirement “organizations to keep and maintain a record of every breach of security safeguards involving personal information under their control.”

The amendments “dealing with breach reporting, notification and recordkeeping will be brought into force only after related regulations outlining specific requirements are developed and in place,” a spokesperson for the Office of the Privacy Commissioner of Canada told Canadian Underwriter in an e-mail Jan 11. “For information about the regulation-making process or timelines, you may direct inquiries to the Department of Innovation, Science and Economic Development.”

Canadian Underwriter asked the ISED department whether the federal government plans to develop regulations to bring those amendments into force, and if so when those regulations would be in place.

A spokesperson sent a response Jan. 12 but did not answer the question.


About the author: Dissent

Comments are closed.