Mandatory Breach Reporting

Effective November 1, 2018, new rules apply if personal information is lost, accessed or disclosed without authorization, or if there is a breach of security safeguards.

There is mandatory breach reporting if there is a “real risk of significant harm to an individual.”

The OPC must be notified and all affected individuals, if the threshold of harm is met. 

There is mandatory record-keeping for all breaches, regardless of whether or not the threshold of harm it met.

These new rules exist because of the risks of financial loss, identity theft, humiliation or damage to reputation etc.

Breach of Health Information requires notification to the Provincial Health Privacy Regulator.