Skip to content

Client Update: It’s here now! Breach reporting for Canadian businesses under PIPEDA

Rob Aske

You likely heard rumblings over the spring and summer, but now it’s here. Canada’s federal privacy law known by the acronym PIPEDA (Personal Information Protection and Electronic Documents Act) adds privacy breach reporting as of November 1, 2018.

The gist of the breach reporting obligations is as follows:

A business will be required to report to the Privacy Commissioner a breach involving personal information (“PI”) under its control (including with a service provider) if it is reasonable to believe that the breach creates a real risk of significant harm to the individual. (The Privacy Commissioner notes that it does not matter if it is one or thousands of affected persons).

Significant harm is defined to include humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on credit record, and damage to or loss of property.

Factors relevant to the real risk of significant harm include sensitivity of the PI, and the probability that it may be misused.

The report to the Commissioner would need to describe the breach, when it occurred, the PI that is subject, the estimated number of individuals affected, and the steps that the organization is taking in response.

Your business would also need to notify individuals whose PI is involved, if that breach creates a real risk of significant harm to the individual.

The notice to the individual would need to describe the breach, when it occurred, the PI affected, the steps the organization is taking, plus information about the business’ complaints process and the individual’s rights under PIPEDA.

The business could be obliged to notify other organizations or government if the business believes that these other bodies may be able to reduce the risk of harm.

Reports must be made “as soon as feasible after the breach”. The express goal is in part to reduce risks of harm, so reports may need to be made well before the full story of the breach is known.

Another big change with this new legislation is that businesses shall be obliged to keep and maintain records of EVERY breach of security safeguards involving PI; i.e. whether or not it meets any particular harm test. In addition, businesses must, on request, provide the Commissioner with access to copies of these records. (So businesses will be obliged to maintain records which will help the Commissioner and any claimant build a case against the business.)

The regulations require records of breach to be maintained for 24 months after the date that the business determined that the breach occurred. In addition, these records must enable the Commissioner to verify compliance with the business’ reporting obligations to the Commissioner and to individuals, if there has been a breach which creates a real risk of significant harm.

Any breach of these obligations may result in the business being charged with an offence, which could result in a fine not exceeding $100,000.

The obligation to report privacy breaches is not new to many jurisdictions, but will be new to much of Canada, and compels every business to sharpen their privacy practices – because going public with a breach can make the impact a much larger mess.

You can find the federal Privacy Commissioner’s Guidelines on reporting breaches here.


This update is intended for general information only. If you have questions about the above information, please contact Rob Aske, or a member of our information technology, internet and privacy group.

SHARE

Archive

Search Archive


 
 

Client Update: The Employer’s implied contractual obligation to supply work: common law developments in employment law

March 10, 2015

Following several Supreme Court of Canada decisions in the late 1990s and early 2000s, the law of constructive dismissal was well defined – or so many thought. The Court’s decision in Potter v. New Brunswick Legal…

Read More

Client Update: Auto Insurance – Direct compensation for property damage is coming to PEI

March 5, 2015

In our May 20, 2014 client update, we reported on significant changes affecting automobile insurance in Prince Edward Island, including changes to no-fault benefits available under section B and changes to the damages cap for minor…

Read More

Labour and Employment Legislative Update 2014

February 10, 2015

2014 LABOUR AND EMPLOYMENT ATLANTIC CANADA LEGISLATIVE UPDATE As we move forward in 2015, we know our region’s employers will want to be aware of new legislation that has passed or could soon pass that…

Read More

Client Update: 2015 Minor Injury Cap

January 30, 2015

On January 28, 2015, the Office of the Superintendent of Insurance issued a bulletin in Nova Scotia. The 2015 minor injury cap has been set at $8,352, an increase of 1.7 per cent over 2014.…

Read More

Client Update: Outlook for the 2015 Proxy Season

January 29, 2015

In preparing for the 2015 proxy season, you should be aware of some regulatory changes that may impact disclosure to and interactions with your shareholders. This update highlights what is new in the 2015 proxy…

Read More

Client Update: Reaching New Limits – Recent Amendments to the PEI Lands Protection Act

January 6, 2015

During the Fall 2014 legislative sitting, the Province of Prince Edward Island passed legislation that results in significant changes to the Lands Protection Act. The amendments have just been proclaimed and were effective January 1, 2015.…

Read More

Atlantic Employers’ Counsel – Fall 2014

December 17, 2014

The Editor’s Corner Clarence Bennett This issue focuses on the family and the interaction between employment and family obligations. As 2014 comes to a close, I would like to extend Seasons Greetings to all of…

Read More

Client Update: Recent Developments: Disability Insurance Policies

December 17, 2014

RECENT DEVELOPMENTS: DISABILITY INSURANCE POLICIES & LIMITATION PERIODS IN NOVA SCOTIA Two recent Nova Scotia decisions have clarified the issue of limitation periods in disability insurance policies and “rolling” limitation periods.   THORNTON V. RBC…

Read More

Client Update: Changes to Related Party Election (Section 156 – Excise Tax Act)

December 16, 2014

Section 156 of the Excise Tax Act (the “ETA“) provides an election that relieves certain related parties from having to collect Harmonized Sales Tax (“HST“) on the goods and services sold between them. The election deems qualifying…

Read More

Doing Business in Atlantic Canada (Fall 2014) (Canadian Lawyer Magazine Supplement)

November 20, 2014

IN THIS ISSUE: More Than Wind – Emergence of Tidal Energy in Atlantic Canada by Sadira Jan Aquaculture and Salmon Farming in Atlantic Canada by Greg Harding The Expanding Atlantic Canada Offshore Industry: Growing Offshore without Going Offside by Stephen Penney and Rebecca…

Read More

Search Archive


Scroll To Top