Skip to content

Client Update: It’s here now! Breach reporting for Canadian businesses under PIPEDA

Rob Aske

You likely heard rumblings over the spring and summer, but now it’s here. Canada’s federal privacy law known by the acronym PIPEDA (Personal Information Protection and Electronic Documents Act) adds privacy breach reporting as of November 1, 2018.

The gist of the breach reporting obligations is as follows:

A business will be required to report to the Privacy Commissioner a breach involving personal information (“PI”) under its control (including with a service provider) if it is reasonable to believe that the breach creates a real risk of significant harm to the individual. (The Privacy Commissioner notes that it does not matter if it is one or thousands of affected persons).

Significant harm is defined to include humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on credit record, and damage to or loss of property.

Factors relevant to the real risk of significant harm include sensitivity of the PI, and the probability that it may be misused.

The report to the Commissioner would need to describe the breach, when it occurred, the PI that is subject, the estimated number of individuals affected, and the steps that the organization is taking in response.

Your business would also need to notify individuals whose PI is involved, if that breach creates a real risk of significant harm to the individual.

The notice to the individual would need to describe the breach, when it occurred, the PI affected, the steps the organization is taking, plus information about the business’ complaints process and the individual’s rights under PIPEDA.

The business could be obliged to notify other organizations or government if the business believes that these other bodies may be able to reduce the risk of harm.

Reports must be made “as soon as feasible after the breach”. The express goal is in part to reduce risks of harm, so reports may need to be made well before the full story of the breach is known.

Another big change with this new legislation is that businesses shall be obliged to keep and maintain records of EVERY breach of security safeguards involving PI; i.e. whether or not it meets any particular harm test. In addition, businesses must, on request, provide the Commissioner with access to copies of these records. (So businesses will be obliged to maintain records which will help the Commissioner and any claimant build a case against the business.)

The regulations require records of breach to be maintained for 24 months after the date that the business determined that the breach occurred. In addition, these records must enable the Commissioner to verify compliance with the business’ reporting obligations to the Commissioner and to individuals, if there has been a breach which creates a real risk of significant harm.

Any breach of these obligations may result in the business being charged with an offence, which could result in a fine not exceeding $100,000.

The obligation to report privacy breaches is not new to many jurisdictions, but will be new to much of Canada, and compels every business to sharpen their privacy practices – because going public with a breach can make the impact a much larger mess.

You can find the federal Privacy Commissioner’s Guidelines on reporting breaches here.


This update is intended for general information only. If you have questions about the above information, please contact Rob Aske, or a member of our information technology, internet and privacy group.

SHARE

Archive

Search Archive


Search
Generic filters

 
 

Changes to job classifications and immigration impacts

November 23, 2022

By Brittany Trafford and Michiko Gartshore On November 16th, 2022 the Federal Government switched to the 2021 National Occupational Classification (NOC) structure from the prior 2016 version. The NOC is Canada’s national system used to…

Read More

Nova Scotia: Canada’s emerging immigration hub

November 17, 2022

As part our presenting sponsorship of the Halifax Chamber of Commerce’s Annual Fall Dinner, we are pleased to present a series of thought leadership articles highlighting the dinner’s themes of immigration, recruitment, and labour market…

Read More

Bill C-27 – Canada’s proposed Artificial Intelligence and Data Act

November 16, 2022

Kevin Landry, Charlotte Henderson, and James Pinchak The governance of Artificial Intelligence (AI) is entering a new era since the Canadian Government first announced a digital charter in 2019 as part of a larger-scale overhaul…

Read More

Discovery: Atlantic Education & the Law – Issue 11

November 14, 2022

We are pleased to present the eleventh issue of Discovery, our very own legal publication targeted to educational institutions in Atlantic Canada. With a new academic year well underway, the Atlantic Region is finally seeing…

Read More

The Winds of Change (Part 5): Atlantic Canada poised to benefit from clean energy tax credits

November 10, 2022

By Jim Cruikshank, Graham Haynes, and Dave Randell On November 3, 2022, the Honourable Chrystia Freeland delivered the Federal Government’s Fall Economic Statement (“FES”).  The FES included a number of tax related announcements, including further…

Read More

“Constructive Taking”: Consequences for municipalities from the Supreme Court of Canada decision in Annapolis Group Inc. v. Halifax Regional Municipality

November 10, 2022

By Stephen Penney, Joe Thorne, and Giles Ayers A new decision from the Supreme Court of Canada, Annapolis Group Inc. v. Halifax Regional Municipality, 2022 SCC 36 (“Annapolis”), has changed the law of constructive expropriation across the…

Read More

Attract & Retain: Nova Scotia taps foreign healthcare workers to fill labour shortages

November 10, 2022

As part our presenting sponsorship of the Halifax Chamber of Commerce’s Annual Fall Dinner, we are pleased to present a series of thought leadership articles highlighting the dinner’s themes of immigration, recruitment, and labour market…

Read More

The rise of remote work and Canadian immigration considerations

November 3, 2022

As part our presenting sponsorship of the Halifax Chamber of Commerce’s Annual Fall Dinner, we are pleased to present a series of thought leadership articles highlighting the dinner’s themes of immigration, recruitment, and labour market…

Read More

The future of express entry: Targeted draws to meet Canada’s economic needs

November 2, 2022

By Sara Espinal Henao Since its initial launch in January 2015, Express Entry has been a pillar of Canada’s immigration system. Recently passed amendments to the Immigration and Refugee Protection Act (IRPA) promise to drive…

Read More

Filling labour gaps with foreign workers: What Canadian employers need to know

October 28, 2022

By Brittany Trafford It is no secret that employers in Atlantic Canada are struggling to fill labour gaps. In June 2019 the Atlantic Canada Opportunities Agency (ACOA) published a report[1] indicating that the overall labour…

Read More

Search Archive


Search
Generic filters

Scroll To Top