Client Update: It’s here now! Breach reporting for Canadian businesses under PIPEDA
You likely heard rumblings over the spring and summer, but now it’s here. Canada’s federal privacy law known by the acronym PIPEDA (Personal Information Protection and Electronic Documents Act) adds privacy breach reporting as of November 1, 2018.
The gist of the breach reporting obligations is as follows:
A business will be required to report to the Privacy Commissioner a breach involving personal information (“PI”) under its control (including with a service provider) if it is reasonable to believe that the breach creates a real risk of significant harm to the individual. (The Privacy Commissioner notes that it does not matter if it is one or thousands of affected persons).
Significant harm is defined to include humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on credit record, and damage to or loss of property.
Factors relevant to the real risk of significant harm include sensitivity of the PI, and the probability that it may be misused.
The report to the Commissioner would need to describe the breach, when it occurred, the PI that is subject, the estimated number of individuals affected, and the steps that the organization is taking in response.
Your business would also need to notify individuals whose PI is involved, if that breach creates a real risk of significant harm to the individual.
The notice to the individual would need to describe the breach, when it occurred, the PI affected, the steps the organization is taking, plus information about the business’ complaints process and the individual’s rights under PIPEDA.
The business could be obliged to notify other organizations or government if the business believes that these other bodies may be able to reduce the risk of harm.
Reports must be made “as soon as feasible after the breach”. The express goal is in part to reduce risks of harm, so reports may need to be made well before the full story of the breach is known.
Another big change with this new legislation is that businesses shall be obliged to keep and maintain records of EVERY breach of security safeguards involving PI; i.e. whether or not it meets any particular harm test. In addition, businesses must, on request, provide the Commissioner with access to copies of these records. (So businesses will be obliged to maintain records which will help the Commissioner and any claimant build a case against the business.)
The regulations require records of breach to be maintained for 24 months after the date that the business determined that the breach occurred. In addition, these records must enable the Commissioner to verify compliance with the business’ reporting obligations to the Commissioner and to individuals, if there has been a breach which creates a real risk of significant harm.
Any breach of these obligations may result in the business being charged with an offence, which could result in a fine not exceeding $100,000.
The obligation to report privacy breaches is not new to many jurisdictions, but will be new to much of Canada, and compels every business to sharpen their privacy practices – because going public with a breach can make the impact a much larger mess.
You can find the federal Privacy Commissioner’s Guidelines on reporting breaches here.
This update is intended for general information only. If you have questions about the above information, please contact Rob Aske, or a member of our information technology, internet and privacy group.
Archive
We are pleased to present the seventh issue of Discovery, our very own legal publication targeted to educational institutions in Atlantic Canada. While ‘back to school’ may look a little different this year, Stewart McKelvey is…
Read More2021: The Year of the Overshare Richard Niedermayer, TEP, Sarah Almon and Madeleine Coats Governments around the world are taking steps to increase transparency at the expense of privacy. In Canada, federal government strategies to…
Read MoreKoren Thomson and Sarah Byrne On November 17, 2020, the Digital Charter Implementation Act, 2020 (“Act”) was introduced as Bill C-11. This is the first major update to the federal private sector privacy regime in…
Read MoreJennifer Thompson The Federal Government has released draft Regulations under the Pay Equity Act (“the Act”), almost 11 months after the Act received Royal Assent. The Act, which is not yet in force, makes significant…
Read MoreKathleen Leighton Employers often wonder what steps they need to take to hire international talent, including what support they must provide to enable a foreign worker to obtain proper work authorization in Canada. This is…
Read MoreKathleen Leighton Express Entry system Express Entry is a system that enables skilled foreign nationals who are looking to settle in Canada indefinitely to apply for permanent residency status. This system prioritizes individuals who are…
Read MoreKatharine Mack The federal government has recently announced a series of changes to be made to benefit programs rolled out in response to the COVID-19 pandemic. The extension or expansion of these benefits and support…
Read MoreChad Sullivan and Kathleen Nash In late June 2020, the Federal Government released the official version of the new Work Place Harassment and Violence Prevention Regulations¹ (“Regulations”) along with Bill C-65, the federal anti-harassment and…
Read MoreSara Espinal Henao Canada wants entrepreneurs. With a strong and stable economy, world leading growth opportunities across industries, and a highly educated workforce, it is a great place to build a dynamic business that can…
Read MoreKillian McParland Earlier today, the Supreme Court of Canada released a new decision with significant implications for employers in Matthews v. Ocean Nutrition Canada Ltd. While the underlying case came out of Nova Scotia, it…
Read More