Client Update: It’s here now! Breach reporting for Canadian businesses under PIPEDA

Rob Aske

You likely heard rumblings over the spring and summer, but now it’s here. Canada’s federal privacy law known by the acronym PIPEDA (Personal Information Protection and Electronic Documents Act) adds privacy breach reporting as of November 1, 2018.

The gist of the breach reporting obligations is as follows:

A business will be required to report to the Privacy Commissioner a breach involving personal information (“PI”) under its control (including with a service provider) if it is reasonable to believe that the breach creates a real risk of significant harm to the individual. (The Privacy Commissioner notes that it does not matter if it is one or thousands of affected persons).

Significant harm is defined to include humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on credit record, and damage to or loss of property.

Factors relevant to the real risk of significant harm include sensitivity of the PI, and the probability that it may be misused.

The report to the Commissioner would need to describe the breach, when it occurred, the PI that is subject, the estimated number of individuals affected, and the steps that the organization is taking in response.

Your business would also need to notify individuals whose PI is involved, if that breach creates a real risk of significant harm to the individual.

The notice to the individual would need to describe the breach, when it occurred, the PI affected, the steps the organization is taking, plus information about the business’ complaints process and the individual’s rights under PIPEDA.

The business could be obliged to notify other organizations or government if the business believes that these other bodies may be able to reduce the risk of harm.

Reports must be made “as soon as feasible after the breach”. The express goal is in part to reduce risks of harm, so reports may need to be made well before the full story of the breach is known.

Another big change with this new legislation is that businesses shall be obliged to keep and maintain records of EVERY breach of security safeguards involving PI; i.e. whether or not it meets any particular harm test. In addition, businesses must, on request, provide the Commissioner with access to copies of these records. (So businesses will be obliged to maintain records which will help the Commissioner and any claimant build a case against the business.)

The regulations require records of breach to be maintained for 24 months after the date that the business determined that the breach occurred. In addition, these records must enable the Commissioner to verify compliance with the business’ reporting obligations to the Commissioner and to individuals, if there has been a breach which creates a real risk of significant harm.

Any breach of these obligations may result in the business being charged with an offence, which could result in a fine not exceeding $100,000.

The obligation to report privacy breaches is not new to many jurisdictions, but will be new to much of Canada, and compels every business to sharpen their privacy practices – because going public with a breach can make the impact a much larger mess.

You can find the federal Privacy Commissioner’s Guidelines on reporting breaches here.


This update is intended for general information only. If you have questions about the above information, please contact Rob Aske, or a member of our information technology, internet and privacy group.

SHARE

Archive

Search Archive


Generic filters
Filter by Custom Post Type

 
 

Client Update: Nova Scotia announces changes to defined benefit pension funding

March 13, 2019

Level Chan and Dante Manna On March 12, 2019, the Nova Scotia legislature introduced long anticipated amendments to the Pension Benefits Act (“PBA”) which, according to a statement by Finance Minister Karen Casey, are aimed…

Read More

Client Update: Supreme Court rules bankrupt companies cannot walk away from their environmental liabilities in Redwater decision

March 6, 2019

Julia Parent and Graham Haynes In the long-awaited decision in the case of Orphan Well Association v Grant Thornton Ltd, the Supreme Court of Canada held that end-of-life environmental cleanup obligations imposed by Alberta’s provincial…

Read More

Client Update: Richards Estate sets the limits on actions against LTD insurers

March 6, 2019

Michelle Chai & Jennifer Taylor Justice Ann Smith of the Supreme Court of Nova Scotia recently dismissed an action against a disability insurer for being out of time. The case, Richards Estate v Industrial Alliance…

Read More

Client Update: Outlook for the 2019 proxy season

February 28, 2019

In preparing for the 2019 proxy season, you should be aware of some regulatory changes and institutional investor guidance that may impact disclosure to, and interactions with, your shareholders. This update highlights what is new…

Read More

Client Update: New regulation under New Brunswick’s Occupational Health and Safety Act tackles workplace violence and harassment – coming into force April 1, 2019

February 7, 2019

Chad Sullivan and Bryan Mills New Brunswick has recently introduced a new regulation under the Occupational Health and Safety Act on the topic of problematic workplace conduct. The change will bring New Brunswick in line…

Read More

Client Update: Not a “token gesture”: Nova Scotia Court of Appeal confirms deductibility of future CPP disability benefits from tort damages

January 18, 2019

Jennifer Taylor In an important decision for the auto insurance industry, the Nova Scotia Court of Appeal has confirmed that future CPP disability benefits are indeed deductible from damages awarded in Nova Scotia cases for…

Read More

Client Update: Change is the only constant – Bill C-86 changes in federal labour and employment regulation

January 18, 2019

Brian Johnston, QC and Matthew Jacobs Bill C-86, enacted as SC 2018, c. 27, will effect massive changes upon how federal labour and employment relations are regulated. They come into effect in 2019 with staggered…

Read More

2018 Year in Review: Atlantic Canada Labour & Employment Law Developments

January 17, 2019

We can all make 2019 a success by building on the year that was. For employers, 2018 was a year of many notable developments in labour and employment law across the country. We saw Ontario…

Read More

Client Update: Atlantic Canada pension and benefits countdown to 2019

December 28, 2018

Level Chan and Dante Manna As 2018 comes to an end, we countdown some pension and employee benefits developments in the last year that we anticipate may lead to developments in 2019. Discrimination in benefits…

Read More

Client Update: Canada’s Proposed Cannabis Edibles, Extracts and Topicals Regulations Revealed

December 21, 2018

Kevin Landry The first look at regulations for cannabis edibles, extracts and topicals has arrived. The Federal Government has opened a 60-day consultation period respecting the strict regulation of additional cannabis products. Notice of the consultation was accompanied…

Read More

Search Archive


Generic filters
Filter by Custom Post Type