Skip to content

Client Update: It’s here now! Breach reporting for Canadian businesses under PIPEDA

Rob Aske

You likely heard rumblings over the spring and summer, but now it’s here. Canada’s federal privacy law known by the acronym PIPEDA (Personal Information Protection and Electronic Documents Act) adds privacy breach reporting as of November 1, 2018.

The gist of the breach reporting obligations is as follows:

A business will be required to report to the Privacy Commissioner a breach involving personal information (“PI”) under its control (including with a service provider) if it is reasonable to believe that the breach creates a real risk of significant harm to the individual. (The Privacy Commissioner notes that it does not matter if it is one or thousands of affected persons).

Significant harm is defined to include humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on credit record, and damage to or loss of property.

Factors relevant to the real risk of significant harm include sensitivity of the PI, and the probability that it may be misused.

The report to the Commissioner would need to describe the breach, when it occurred, the PI that is subject, the estimated number of individuals affected, and the steps that the organization is taking in response.

Your business would also need to notify individuals whose PI is involved, if that breach creates a real risk of significant harm to the individual.

The notice to the individual would need to describe the breach, when it occurred, the PI affected, the steps the organization is taking, plus information about the business’ complaints process and the individual’s rights under PIPEDA.

The business could be obliged to notify other organizations or government if the business believes that these other bodies may be able to reduce the risk of harm.

Reports must be made “as soon as feasible after the breach”. The express goal is in part to reduce risks of harm, so reports may need to be made well before the full story of the breach is known.

Another big change with this new legislation is that businesses shall be obliged to keep and maintain records of EVERY breach of security safeguards involving PI; i.e. whether or not it meets any particular harm test. In addition, businesses must, on request, provide the Commissioner with access to copies of these records. (So businesses will be obliged to maintain records which will help the Commissioner and any claimant build a case against the business.)

The regulations require records of breach to be maintained for 24 months after the date that the business determined that the breach occurred. In addition, these records must enable the Commissioner to verify compliance with the business’ reporting obligations to the Commissioner and to individuals, if there has been a breach which creates a real risk of significant harm.

Any breach of these obligations may result in the business being charged with an offence, which could result in a fine not exceeding $100,000.

The obligation to report privacy breaches is not new to many jurisdictions, but will be new to much of Canada, and compels every business to sharpen their privacy practices – because going public with a breach can make the impact a much larger mess.

You can find the federal Privacy Commissioner’s Guidelines on reporting breaches here.


This update is intended for general information only. If you have questions about the above information, please contact Rob Aske, or a member of our information technology, internet and privacy group.

SHARE

Archive

Search Archive


Search
Generic filters

 
 

Nova Scotia municipality plans changes to wind turbine regulations

June 27, 2022

By Nancy Rubin & Colton Smith    Wind turbine regulations in the Municipality of Cumberland are set to change.   On June 22, 2022, Cumberland Council approved a second reading of amendments relating to their…

Read More

Discovery: Atlantic Education & the Law – Issue 10

June 24, 2022

We are pleased to present the tenth issue of Discovery, our very own legal publication targeted to educational institutions in Atlantic Canada. As we settle into a summer having rounded out the end of another…

Read More

Pay Transparency: Recent Changes to PEI’s Employment Standards Act

June 10, 2022

Murray Murphy and Kate Profit Changes to Prince Edward Island’s Employment Standards Act (“ESA”) regarding pay transparency received royal assent on November 17, 2021 and has recently come into force as of June 1, 2022.…

Read More

Discovering a Denial: Recent Ontario decision sheds light on discoverability of claims against LTD insurers

June 3, 2022

Michelle Chai & Jennifer Taylor1   A recent Ontario case offers insight on when the limitation period starts to run for an action against a disability insurer. In Kumarasamy v Western Life Assurance Company, the…

Read More

Pension update – CAPSA releases consultation draft of CAP Guideline No. 3 for comment

May 30, 2022

Level Chan and Annelise Harnanan Background On May 13, 2022 the Canadian Association of Pension Supervisory Authorities (CAPSA) released and invited feedback on a Consultation Draft of revisions to CAPSA Guideline No. 3 – Guidelines…

Read More

The winds of change – Newfoundland and Labrador Government signaling major shift in energy policy

May 17, 2022

John Samms and Matthew Craig In uncertain economic times like these, “open for business” is a welcome phrase by leading Ministers in Newfoundland and Labrador. For years, Newfoundland and Labrador’s wind generation policy was, for…

Read More

Accountability and Oversight: Nova Scotia’s new Powers of Attorney Act

May 9, 2022

Richard Niedermayer, QC, TEP, Sarah Almon, TEP, and Madeleine Coats Long-awaited amendments to the Province’s currently short-and-sweet Powers of Attorney Act1 received Royal Assent on Friday, April 22, 2022.  While not yet proclaimed into effect, the…

Read More

Prince Edward Island’s new Non-Disclosure Agreements Act

May 5, 2022

Jacob Zelman and Kate Profit Prince Edward Island’s Non-Disclosure Agreements Act (“Act”) received royal assent on November 17, 2021 and is set to come into force on May 17, 2022. The purpose of the Act…

Read More

New Brunswick’s new Intimate Images Unlawful Distribution Act

April 28, 2022

Chad Sullivan and Tiffany Primmer Increasingly, employers are finding themselves faced with addressing the uncomfortable situation of an employee who has shared an intimate image of another employee. While not directly applicable to what an…

Read More

Provincial Non-Resident Deed Transfer Tax Guidelines

April 19, 2022

Brian Tabor, QC and Eyoab Begashaw On April 8, 2022, the Nova Scotia Department of Finance and Treasury Board (Provincial Tax Policy and Administration Division) released the Provincial Non-Resident Deed Transfer Tax Guidelines (“Guidelines”) with…

Read More

Search Archive


Search
Generic filters

Scroll To Top