Skip to content

Client Update: It’s here now! Breach reporting for Canadian businesses under PIPEDA

Rob Aske

You likely heard rumblings over the spring and summer, but now it’s here. Canada’s federal privacy law known by the acronym PIPEDA (Personal Information Protection and Electronic Documents Act) adds privacy breach reporting as of November 1, 2018.

The gist of the breach reporting obligations is as follows:

A business will be required to report to the Privacy Commissioner a breach involving personal information (“PI”) under its control (including with a service provider) if it is reasonable to believe that the breach creates a real risk of significant harm to the individual. (The Privacy Commissioner notes that it does not matter if it is one or thousands of affected persons).

Significant harm is defined to include humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on credit record, and damage to or loss of property.

Factors relevant to the real risk of significant harm include sensitivity of the PI, and the probability that it may be misused.

The report to the Commissioner would need to describe the breach, when it occurred, the PI that is subject, the estimated number of individuals affected, and the steps that the organization is taking in response.

Your business would also need to notify individuals whose PI is involved, if that breach creates a real risk of significant harm to the individual.

The notice to the individual would need to describe the breach, when it occurred, the PI affected, the steps the organization is taking, plus information about the business’ complaints process and the individual’s rights under PIPEDA.

The business could be obliged to notify other organizations or government if the business believes that these other bodies may be able to reduce the risk of harm.

Reports must be made “as soon as feasible after the breach”. The express goal is in part to reduce risks of harm, so reports may need to be made well before the full story of the breach is known.

Another big change with this new legislation is that businesses shall be obliged to keep and maintain records of EVERY breach of security safeguards involving PI; i.e. whether or not it meets any particular harm test. In addition, businesses must, on request, provide the Commissioner with access to copies of these records. (So businesses will be obliged to maintain records which will help the Commissioner and any claimant build a case against the business.)

The regulations require records of breach to be maintained for 24 months after the date that the business determined that the breach occurred. In addition, these records must enable the Commissioner to verify compliance with the business’ reporting obligations to the Commissioner and to individuals, if there has been a breach which creates a real risk of significant harm.

Any breach of these obligations may result in the business being charged with an offence, which could result in a fine not exceeding $100,000.

The obligation to report privacy breaches is not new to many jurisdictions, but will be new to much of Canada, and compels every business to sharpen their privacy practices – because going public with a breach can make the impact a much larger mess.

You can find the federal Privacy Commissioner’s Guidelines on reporting breaches here.


This update is intended for general information only. If you have questions about the above information, please contact Rob Aske, or a member of our information technology, internet and privacy group.

SHARE

Archive

Search Archive


 
 

Labour & Employment podcast episode #2: “The Federal Pay Equity Act and Regulations”

August 3, 2021

In the second episode of our labour and employment podcast, Workplace Issues in Atlantic Canada: A Legal Perspective, host and practice group leader Rick Dunlop speaks with Annie Gray and Dante Manna about the Federal…

Read More

Volleyball coach reinstated after recruiting student athlete charged with sexual assault

July 30, 2021

Included in Discovery: Atlantic Education & the Law – Issue 08 Clarence Bennett It is increasingly difficult to reconcile the rights of a student charged with sexual assault, with the rights of the victim, along…

Read More

In the strictest confidence: reviewing confidentiality clauses with a view to fostering engagement and limiting risk

July 28, 2021

Included in Discovery: Atlantic Education & the Law – Issue 08 Jacob Zelman Striking the proper balance Public discourse around instances of sexual violence is at an all-time high. In the wake of the #MeToo…

Read More

Liability for online misconduct: do new torts mean increased risk for universities?

July 26, 2021

Included in Discovery: Atlantic Education & the Law – Issue 08 Nancy Rubin, QC and Jennifer Taylor   More than ever, many of our meetings, classes, presentations and personal communications are happening virtually. With this…

Read More

Corner Brook (City) v. Bailey: Canada’s top court clarifies the law of releases

July 23, 2021

Erin Best and Giles Ayers   Earlier today the Supreme Court of Canada released a unanimous decision in Corner Brook (City) v. Bailey. The case was successfully argued by Erin Best and Giles Ayers of…

Read More

I have trust issues – pension plan trust claim priorities in bankruptcy in Anthony Capital Corporation (Re), 2021 NLSC 91

July 23, 2021

Joe Thorne, with the assistance of Stuart Wallace (summer student) In a bankruptcy, there is inevitable conflict between all manner of creditors with competing claims. Our federal and provincial legislatures have identified certain claims as…

Read More

Making the grade or failing to accommodate: a case study

July 23, 2021

Included in Discovery: Atlantic Education & the Law – Issue 08 Lara Greenough In the recent decision of Longueépée v University  of Waterloo, 2020 ONCA 830, the Ontario Court of Appeal found the University of…

Read More

Mandatory vaccines in the workplace

July 21, 2021

Included in Discovery: Atlantic Education & the Law – Issue 08 Sheila Mecking and Evan MacKnight More than a year has passed since the Coronavirus disease (“COVID-19”) arrived in Atlantic Canada and caused all in-person…

Read More

Federal pay equity comes into force August 31, 2021

July 8, 2021

Annie Gray and Dante Manna The federal government has announced that the Pay Equity Act (“Act”) will come into force on August 31, 2021. It has also published the final version of the Pay Equity Regulations (“Regulations”), to come into effect on the…

Read More

Nova Scotia: a place to call home for businesses and immigrants alike

June 28, 2021

Sara Espinal Henao Nova Scotia is thriving. Having reached an all-time population high of 979,115 in 2020 and established itself as a start-up center and a top location for businesses, the province is poised for…

Read More

Search Archive


Scroll To Top