PIPEDA Findings #2020-005: Investigation into Desjardins’ compliance with PIPEDA following a breach of personal information between 2017 and 2019
This investigation examined Desjardins' compliance with PIPEDA following a significant data breach that occurred between 2017 and 2019, affecting nearly 9.7 million individuals. The Office of the Privacy Commissioner of Canada (OPC) found that Desjardins contravened PIPEDA principles regarding accountability, data retention, and security safeguards. While Desjardins' mitigation measures for affected individuals were deemed adequate, the OPC issued recommendations to address the identified contraventions.
- Adequacy of security safeguards throughout the personal information lifecycle.
- Compliance with accountability principles, including implementing procedures and training staff.
- Appropriateness of data retention and destruction practices.
- Effectiveness of mitigation measures offered to individuals affected by the breach.
Complaint well-founded and conditionally resolved.
Desjardins contravened PIPEDA principles concerning accountability, data retention, and security safeguards due to inadequate implementation of policies, insufficient employee training, weak access controls, and a lack of proactive monitoring. However, the resolution was conditional as Desjardins committed to implementing the OPC's recommendations.
AI-generated summary for reference only. Always verify against the official decision ↗
Desjardins accepted all OPC recommendations, including providing progress reports, finalizing a retention schedule, deleting or anonymizing expired data, monitoring data transfer requests, and undergoing an external audit of its information security and privacy program.
- Principle 4.7 PIPEDA
- Principle 4.1 PIPEDA
- Principle 4.5 PIPEDA
- s. 1.1 Breach of Security Safeguards, PIPEDA
This summary is for informational purposes only and does not constitute legal advice.