Charmaine Borg moved, — That Bill S-4, in Clause 10, be amended(a) by replacing lines 2 to 25 on page 10 with the following:
“Commissioner any incident involving the loss or disclosure of, or unauthorized access to, personal information under its control or a breach of security safeguards involving personal information under its control if a reasonable person would conclude that there exists a possible risk of significant harm to an individual as a result of the loss or disclosure or unauthorized access or as a resulf of the breach.
(2) The report shall contain the information and be made in the form prescribed in the regulations or otherwise specified by the Commissioner and shall be made as soon as feasible after the discovery of the loss or disclosure of, or unauthorized access to, personal information or of the breach.
(3) Upon the receipt of the report, the Commissioner may require the organization to notify affected individuals to whom there is an appreciable risk of significant harm as a result of the loss or disclosure of, or unauthorized access to, personal information or as a result of the breach.
(4) If the Commissioner determines that the loss or disclosure of, or unauthorized access to, personal information or the breach is likely to result in an appreciable risk of significant harm to the affected individuals, the Commissioner shall, as soon as feasible, order the organization to notify the affected individuals without unreasonable delay.
(4.1) Nothing precludes an organization from notifying affected individuals of the loss or disclosure of, or unauthorized access to, personal information or of a breach on its own initiative; in which case, the organization shall, without delay, inform the Commissioner that it has done so.
(4.2) Once the organization has complied with the notification order referred to in subsection (4), it shall notify the Commissioner of that fact.
(4.3) The notification to the affected individuals of the loss or disclosure of, or unauthorized access to, personal information or of the breach shall include
(a) a report of the risk of significant harm as it pertains to the affected individuals;
(b) instructions for reducing the risk of significant harm or mitigating that significant harm; and
(c) any other prescribed information.”
(b) by replacing line 39 on page 10 with the following:
“tunities, financial loss, identity theft, identity fraud, negative”
(c) by replacing line 9 on page 11 with the following:
“(b.1) the number of individuals whose personal information was involved; and”
(d) by replacing line 12 on page 11 with the following:
“individual of the loss or disclosure of, or unauthorized access to, personal information or of a breach of security safeguards”
(e) by replacing line 3 on page 12 with the following:
“and maintain a record of every incident involving the loss or disclosure of, or unauthorized access to, personal information under its control and of every breach of”