Announcement

September 15, 2020

New resources to help businesses protect personal information and address breaches

The Office of the Privacy Commissioner of Canada (OPC) today launched new resources to help businesses manage breaches and follow mandatory reporting and other requirements related to the safe storage of personal information.

The OPC recently conducted its first breach record inspections to gain insight into how businesses are meeting their record-keeping obligations under Canada’s federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA). The final report is now available and offers business valuable insights into some of the most common challenges faced when maintaining records of breaches of security safeguards.

The OPC has also developed a new series of videos designed to help businesses open up a discussion with their staff on what they should do to protect the personal information of customers, clients and their own employees and ensure the business is prepared in the event of a breach.

Breach record inspections report

The inspections involved reviewing the breach records from 7 Canadian telecommunications companies. Our Office examined the companies’ breach records to assess compliance and get a better sense of the plans, tools and approaches organizations are using to meet their breach recording and reporting responsibilities.

One of the key takeaways from the review is that businesses could benefit from a better understanding of how to assess whether a breach has led to a real risk of significant harm. The new series of videos is a step in that direction.

The report provides insights, best practices and concrete examples to help businesses conduct an assessment of real risk of significant harm.

The review also highlighted challenges with how organizations keep records about breaches of their security safeguards. The report provides advice about the information businesses must record, why and for how long they should retain the records. Importantly, businesses need to be keeping records that contain enough information for the OPC to understand an organization’s assessment of Real Risk of Significant Harm.

New video series

The 6 videos address the following topics:

• Introduction to breach reporting
• Assessing the risks of significant harm
• Business obligations for reporting breaches
• How to submit a breach report
• When and how to notify people and organizations
• Keeping the necessary records

Secure PIPEDA breach reporting portal

The OPC has recently launched a secure portal for reporting breaches that allows businesses to easily submit their breach reports and instantly receive a file number to facilitate future communication about the report.

In a world where personal information is so easily collected, used and shared with a click on the keypad, businesses are increasingly concerned about protecting the privacy of their customers, clients and employees. Being sensitive to individuals’ concerns about their personal information is good business.

Additional information related to breaches and other privacy issues is available in a suite of guidance documents aimed to assist businesses.