Businesses are facing new obligations under breach of security safeguards rules coming into force this week, says the federal Privacy Commissioner.
Changes to Canada's federal private sector privacy law will require organizations to report certain breaches of security safeguards to the Commissioner's office and to notify those affected.
“The number and frequency of significant data breaches over the past few years have proven there's a clear need for mandatory reporting,” says Commissioner Daniel Therrien. “Mandatory breach reporting and notification will create an incentive for organizations to take security more seriously and bring enhanced transparency and accountability to how organizations manage personal information.”
New regulations include reporting breaches
Under the new regulations for organizations subject to the Personal Information Protection and Electronic Documents Act, which come into force November 1, organizations must:
- report to the Privacy Commissioner's office any breach of security safeguards where it creates a “real risk of significant harm,”
- notify individuals affected by a breach of security safeguards where there is a real risk of significant harm;
- keep records of all breaches of security safeguards that affect the personal information under their control, and
- keep those records for two years.