Skip to content

Client Update: It’s here now! Breach reporting for Canadian businesses under PIPEDA

Rob Aske

You likely heard rumblings over the spring and summer, but now it’s here. Canada’s federal privacy law known by the acronym PIPEDA (Personal Information Protection and Electronic Documents Act) adds privacy breach reporting as of November 1, 2018.

The gist of the breach reporting obligations is as follows:

A business will be required to report to the Privacy Commissioner a breach involving personal information (“PI”) under its control (including with a service provider) if it is reasonable to believe that the breach creates a real risk of significant harm to the individual. (The Privacy Commissioner notes that it does not matter if it is one or thousands of affected persons).

Significant harm is defined to include humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on credit record, and damage to or loss of property.

Factors relevant to the real risk of significant harm include sensitivity of the PI, and the probability that it may be misused.

The report to the Commissioner would need to describe the breach, when it occurred, the PI that is subject, the estimated number of individuals affected, and the steps that the organization is taking in response.

Your business would also need to notify individuals whose PI is involved, if that breach creates a real risk of significant harm to the individual.

The notice to the individual would need to describe the breach, when it occurred, the PI affected, the steps the organization is taking, plus information about the business’ complaints process and the individual’s rights under PIPEDA.

The business could be obliged to notify other organizations or government if the business believes that these other bodies may be able to reduce the risk of harm.

Reports must be made “as soon as feasible after the breach”. The express goal is in part to reduce risks of harm, so reports may need to be made well before the full story of the breach is known.

Another big change with this new legislation is that businesses shall be obliged to keep and maintain records of EVERY breach of security safeguards involving PI; i.e. whether or not it meets any particular harm test. In addition, businesses must, on request, provide the Commissioner with access to copies of these records. (So businesses will be obliged to maintain records which will help the Commissioner and any claimant build a case against the business.)

The regulations require records of breach to be maintained for 24 months after the date that the business determined that the breach occurred. In addition, these records must enable the Commissioner to verify compliance with the business’ reporting obligations to the Commissioner and to individuals, if there has been a breach which creates a real risk of significant harm.

Any breach of these obligations may result in the business being charged with an offence, which could result in a fine not exceeding $100,000.

The obligation to report privacy breaches is not new to many jurisdictions, but will be new to much of Canada, and compels every business to sharpen their privacy practices – because going public with a breach can make the impact a much larger mess.

You can find the federal Privacy Commissioner’s Guidelines on reporting breaches here.


This update is intended for general information only. If you have questions about the above information, please contact Rob Aske, or a member of our information technology, internet and privacy group.

SHARE

Archive

Search Archive


 
 

Amendments required for Prince Edward Island code of conduct bylaws

September 18, 2023

By Perlene Morrison, K.C. Municipalities are required to pass code of conduct bylaws in accordance with section 107 of the Municipal Government Act (the “MGA”). Subsection 107(1) of the MGA specifically states that a municipality’s…

Read More

Professionally speaking: Ontario Superior Court upholds professional regulators’ right to moderate speech

September 14, 2023

By Sheila Mecking and Kathleen Starke On August 23, 2023, the Ontario Superior Court (“ONSC”) upheld a complaints decision which ordered a psychologist to complete a continuing education or remedial program regarding professionalism in public…

Read More

One-year reminder for federal employers: Pay equity plans due September 3, 2024

September 5, 2023

By Dante Manna As we advised in a previous podcast, all federal employers with at least ten employees[1] have been subject to the Pay Equity Act [2] (“PEA”) and Pay Equity Regulations [3] (“Regulations”) since…

Read More

Charging to net-zero: Government releases draft Clean Electricity Regulations

August 23, 2023

By Nancy Rubin, K.C. Environment and Climate Change Canada (ECCC) recently published a draft of the Clean Electricity Regulations (CER). The proposed Regulations work toward achieving a net-zero electricity-generating sector, helping Canada become a net-zero…

Read More

Supreme Court of Newfoundland and Labrador rejects developer’s constructive expropriation claim

August 18, 2023

By Stephen Penney & Matthew Raske In the recent decision Index Investment Inc. v. Paradise (Town), 2023 NLSC 112, the Supreme Court of Newfoundland and Labrador validated the Town of Paradise’s decision to rezone lands…

Read More

IRCC expands authorization for foreign workers to study without a study permit: Four things you need to know

July 13, 2023

By Sara Espinal Henao Immigration, Refugees and Citizenship Canada (“IRCC”) has announced a promising new temporary measure that allows foreign workers to study for a longer duration without a study permit, opening the door for…

Read More

Canada’s first-ever Tech Talent Strategy announced

July 12, 2023

By Brendan Sheridan The Government of Canada recently announced a number of aggressive immigration measures to help attract top talent to Canada in high-growth industries in an effort to fuel innovation and drive emerging technologies.…

Read More

ESG and dispute resolution: fighting for greener ways

July 5, 2023

By Daniela Bassan, K.C. All stakeholders in the legal profession, including litigators, have a shared interest in promoting environmental, social, and governance (ESG) pathways towards building a greener society. It is crucial for litigators to…

Read More

Amendments to the Canada Business Corporations Act affecting registers of individuals with significant control

June 30, 2023

By Kimberly Bungay and Colton Smith Since June of 2019, corporations formed under the Canada Business Corporations Act have been required to prepare and maintain a register of individuals with significant control (an “ISC Register”).…

Read More

Navigating the waters: Compliance with multiple regimes

June 22, 2023

By Kim Walsh and Olivia Bungay Compliance with Russian sanctions goes beyond complying with Canada’s Russia Regulations. Canadian individuals and businesses may be unaware of several other sanctions regimes that apply to them. In conjunction…

Read More

Search Archive


Scroll To Top