Skip to content

Client Update: It’s here now! Breach reporting for Canadian businesses under PIPEDA

Rob Aske

You likely heard rumblings over the spring and summer, but now it’s here. Canada’s federal privacy law known by the acronym PIPEDA (Personal Information Protection and Electronic Documents Act) adds privacy breach reporting as of November 1, 2018.

The gist of the breach reporting obligations is as follows:

A business will be required to report to the Privacy Commissioner a breach involving personal information (“PI”) under its control (including with a service provider) if it is reasonable to believe that the breach creates a real risk of significant harm to the individual. (The Privacy Commissioner notes that it does not matter if it is one or thousands of affected persons).

Significant harm is defined to include humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on credit record, and damage to or loss of property.

Factors relevant to the real risk of significant harm include sensitivity of the PI, and the probability that it may be misused.

The report to the Commissioner would need to describe the breach, when it occurred, the PI that is subject, the estimated number of individuals affected, and the steps that the organization is taking in response.

Your business would also need to notify individuals whose PI is involved, if that breach creates a real risk of significant harm to the individual.

The notice to the individual would need to describe the breach, when it occurred, the PI affected, the steps the organization is taking, plus information about the business’ complaints process and the individual’s rights under PIPEDA.

The business could be obliged to notify other organizations or government if the business believes that these other bodies may be able to reduce the risk of harm.

Reports must be made “as soon as feasible after the breach”. The express goal is in part to reduce risks of harm, so reports may need to be made well before the full story of the breach is known.

Another big change with this new legislation is that businesses shall be obliged to keep and maintain records of EVERY breach of security safeguards involving PI; i.e. whether or not it meets any particular harm test. In addition, businesses must, on request, provide the Commissioner with access to copies of these records. (So businesses will be obliged to maintain records which will help the Commissioner and any claimant build a case against the business.)

The regulations require records of breach to be maintained for 24 months after the date that the business determined that the breach occurred. In addition, these records must enable the Commissioner to verify compliance with the business’ reporting obligations to the Commissioner and to individuals, if there has been a breach which creates a real risk of significant harm.

Any breach of these obligations may result in the business being charged with an offence, which could result in a fine not exceeding $100,000.

The obligation to report privacy breaches is not new to many jurisdictions, but will be new to much of Canada, and compels every business to sharpen their privacy practices – because going public with a breach can make the impact a much larger mess.

You can find the federal Privacy Commissioner’s Guidelines on reporting breaches here.


This update is intended for general information only. If you have questions about the above information, please contact Rob Aske, or a member of our information technology, internet and privacy group.

SHARE

Archive

Search Archive


 
 

Client Update: A judge’s guide to settlement approval and contingency fee agreements in P.E.I.

July 25, 2013

In Wood v. Wood et al, 2013 PESC 11, a motion pursuant to Rule 7.08 of the Rules of Civil Procedure for court approval of a settlement involving a minor, Mr. Justice John K. Mitchell approved the settlement among the…

Read More

Client Update: Directors will be liable for unpaid wages and vacation pay

July 8, 2013

Clients who sit on boards of corporate employers should take note of recent amendments made to New Brunswick’s Employment Standards Act (the “ESA”) which could increase their exposure to personal liability in connection with claims advanced by…

Read More

Client Update: To B or Not To B? Potential Changes to PEI Auto Insurance

June 28, 2013

Significant changes may be coming to the standard automobile policy in PEI, including increases to the accident benefits available under Section B and an increase to the so-called “cap” applicable to claims for minor personal…

Read More

Client Update: Special Project Orders the next milestone for Muskrat Falls progress

June 21, 2013

On June 17, 2013, pursuant to the recently amended Section 70 of the Labour Relations Act for Newfoundland and Labrador (“NL”), the Government of Newfoundland and Labrador issued three Special Project Orders (“SPOs”) in respect of the…

Read More

Client Update: Hold your breath, SCC rules on random alcohol testing

June 17, 2013

On June 14, 2013, the Supreme Court of Canada (“the Court”) released the decision that employers across the country were waiting for. In CEP Local 30 v. Irving Pulp & Paper Ltd., 2013 SCC 34, a…

Read More

Client Update: Newfoundland and Labrador Aboriginal Consultation Policy

June 14, 2013

The Government of Newfoundland and Labrador (“NL”) has recently released its “Aboriginal Consultation Policy on Land and Resource Development Decisions” (the “Policy”). A copy of the Policy can be accessed here. This new Policy is the…

Read More

Spring 2013 Labour & Employment Atlantic Canada Legislative Update

June 11, 2013

The following is a province-by-province update of legislation from a busy 2013 spring session in Atlantic Canada. Watching these developments, we know the new legislation that has passed or could soon pass, will impact our…

Read More

Client Update: Jury Duty – Time to Think Twice

June 6, 2013

The integrity of the jury system has become a pressing topic for our courts of late, with articles about jury duty frequently appearing front and centre in the press. The recent message from the Nova…

Read More

Doing Business in Atlantic Canada (Summer 2013)(Canadian Lawyer magazine supplement)

June 2, 2013

IN THIS ISSUE: Cloud computing: House to navigate risky skies by Daniela Bassan and Michelle Chai Growing a startup by Clarence Bennett, Twila Reid and Nicholas Russon Knowing the lay of the land – Aboriginal rights and land claims in Labrador by Colm St. Roch Seviour and Steve Scruton Download…

Read More

Client Update: The Personal Health Information Act (PHIA) is coming…..

May 27, 2013

DOES IT APPLY TO YOU? On June 1, 2013, the Personal Health Information Act (PHIA) comes into force in Nova Scotia.  If you are involved in health care in Nova Scotia, you need to know whether PHIA…

Read More

Search Archive


Scroll To Top