Version of document from 2018-11-01 to 2019-03-27:

Breach of Security Safeguards Regulations

SOR/2018-64

PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT

Registration 2018-03-27

Breach of Security Safeguards Regulations

P.C. 2018-368 2018-03-26

Her Excellency the Governor General in Council, on the recommendation of the Minister of Industry, pursuant to subsection 26(1)Footnote a of the Personal Information Protection and Electronic Documents ActFootnote b, makes the annexed Breach of Security Safeguards Regulations.

Interpretation

Marginal note:Definition of Act

 In these Regulations, Act means the Personal Information Protection and Electronic Documents Act.

Report to Commissioner

Marginal note:Report — content, form and manner

  •  (1) A report of a breach of security safeguards referred to in subsection 10.1(2) of the Act must be in writing and must contain

    • (a) a description of the circumstances of the breach and, if known, the cause;

    • (b) the day on which, or the period during which, the breach occurred or, if neither is known, the approximate period;

    • (c) a description of the personal information that is the subject of the breach to the extent that the information is known;

    • (d) the number of individuals affected by the breach or, if unknown, the approximate number;

    • (e) a description of the steps that the organization has taken to reduce the risk of harm to affected individuals that could result from the breach or to mitigate that harm;

    • (f) a description of the steps that the organization has taken or intends to take to notify affected individuals of the breach in accordance with subsection 10.1(3) of the Act; and

    • (g) the name and contact information of a person who can answer, on behalf of the organization, the Commissioner’s questions about the breach.

  • Marginal note:New information

    (2) An organization may submit to the Commissioner any new information referred to in subsection (1) that the organization becomes aware of after having made the report.

  • Marginal note:Means of communication

    (3) The report may be sent to the Commissioner by any secure means of communication.

Notification to Affected Individual

Marginal note:Contents of notification

 A notification provided by an organization, in accordance with subsection 10.1(3) of the Act, to an affected individual with respect to a breach of security safeguards must contain

  • (a) a description of the circumstances of the breach;

  • (b) the day on which, or period during which, the breach occurred or, if neither is known, the approximate period;

  • (c) a description of the personal information that is the subject of the breach to the extent that the information is known;

  • (d) a description of the steps that the organization has taken to reduce the risk of harm that could result from the breach;

  • (e) a description of the steps that affected individuals could take to reduce the risk of harm that could result from the breach or to mitigate that harm; and

  • (f) contact information that the affected individual can use to obtain further information about the breach.

Marginal note:Direct notification — form and manner

 For the purposes of subsection 10.1(5) of the Act, direct notification must be given to the affected individual in person, by telephone, mail, email or any other form of communication that a reasonable person would consider appropriate in the circumstances.

Marginal note:Indirect notification — circumstances

  •  (1) For the purposes of subsection 10.1(5) of the Act, indirect notification must be given by an organization in any of the following circumstances:

    • (a) direct notification would be likely to cause further harm to the affected individual;

    • (b) direct notification would be likely to cause undue hardship for the organization; or

    • (c) the organization does not have contact information for the affected individual.

  • Marginal note:Indirect notification — form and manner

    (2) For the purposes of subsection 10.1(5) of the Act, indirect notification must be given by public communication or similar measure that could reasonably be expected to reach the affected individuals.

Record-keeping

Marginal note:Record-keeping requirements

  •  (1) For the purposes of subsection 10.3(1) of the Act, an organization must maintain a record of every breach of security safeguards for 24 months after the day on which the organization determines that the breach has occurred.

  • Marginal note:Compliance

    (2) The record referred to in subsection 10.3(1) of the Act must contain any information that enables the Commissioner to verify compliance with subsections 10.1(1) and (3) of the Act.

Coming into Force

Marginal note:S.C. 2015, c. 32

Footnote * These Regulations come into force on the day on which section 10 of the Digital Privacy Act comes into force, but if they are registered after that day, they come into force on the day on which they are registered.

Date modified: