The draft privacy breach regulations under PIPEDA have just been published. They are open for comment for 30 days.
These regulations detail the mechanics of notifying the Privacy Commissioner and individuals when there is a privacy breach. PIPEDA was amended some time ago to require mandatory notification when there is a breach that results in “real risk of significant harm”. Those provisions will come into force after the regulations are passed.
The draft regulations are about what were expected. They are similar to those under Alberta privacy legislation.
I agree with David Fraser’s view that section 4(a) that says notification to individuals can be sent “by email or any other secure form of communication if the affected individual has consented to receiving information from the organization in that manner” is uncalled for. A notice of this nature is not spam, and it does not make sense to require that an individual has given consent for communication in that manner to notify of a privacy breach. These notifications are for the benefit of the individual, so why make it harder for organizations to send it?
The amendments and regulations have provisions requiring organizations to keep records of all privacy breaches, including information that allows the Privacy Commissioner to determine if the organization properly considered the notice threshold tests. In other words, organizations must be able to prove that any decision not to notify was justified.