But cyber security is not child's play.
As of November 1, 2018, commercial operations in Canada (including medical offices) that are subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) now face strict new privacy breach response requirements with respect to any data security safeguard breach. Under the Digital Privacy Act, every organization that collects, uses and discloses personal information in the course of commercial activity in Canada (with a few exceptions) must follow new mandatory data breach record-keeping, reporting and notification rules – or face significant non-compliance consequences.
Here are the answers to some frequently asked questions about the Digital Privacy Act and its new data breach response requirements.
The Digital Privacy Act is a federal law that amends PIPEDA to mandate a response to data breaches that includes three key new obligations: record-keeping, reporting and notification.
Existing Safeguarding Obligation. Canadian law already obligates organizations to protect personal information with security safeguards appropriate to the sensitivity of the information. These security safeguards are required to protect personal information (regardless of the format it is in) against unauthorized access or use in any manner.
NOTE: All notification costs are to be born by the affected organization
Practically, this means any of the following "internal" security breach scenarios could amount to a "breach of security safeguards" – and trigger the mandatory data breach response obligations:
Yes. The Digital Privacy Act applies to every organization to which PIPEDA applies. This includes most doctors who collect, use and/or disclose personal information in the course of commercial activity in Canada, with the exceptions of Quebec, Alberta and British Columbia which all have provincial legislation that's similar to PIPEDA.
Because the consequences of failing to do so are significant. They can include:
Breaches happen – but advance preparation can significantly reduce the liability and reputational risks if such a breach occurs. There are some key areas on which to focus when preparing for the Digital Privacy Act's mandatory data breach response requirements, including:
Talk to your Insurance Advisor about adding cyber protection to your Office/Clinic package from OMA Insurance.
The content of this article is intended to provide a general guide to the legislation. Specialist advice should be sought about your specific circumstances.