Skip to content

Client Update: It’s here now! Breach reporting for Canadian businesses under PIPEDA

Rob Aske

You likely heard rumblings over the spring and summer, but now it’s here. Canada’s federal privacy law known by the acronym PIPEDA (Personal Information Protection and Electronic Documents Act) adds privacy breach reporting as of November 1, 2018.

The gist of the breach reporting obligations is as follows:

A business will be required to report to the Privacy Commissioner a breach involving personal information (“PI”) under its control (including with a service provider) if it is reasonable to believe that the breach creates a real risk of significant harm to the individual. (The Privacy Commissioner notes that it does not matter if it is one or thousands of affected persons).

Significant harm is defined to include humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on credit record, and damage to or loss of property.

Factors relevant to the real risk of significant harm include sensitivity of the PI, and the probability that it may be misused.

The report to the Commissioner would need to describe the breach, when it occurred, the PI that is subject, the estimated number of individuals affected, and the steps that the organization is taking in response.

Your business would also need to notify individuals whose PI is involved, if that breach creates a real risk of significant harm to the individual.

The notice to the individual would need to describe the breach, when it occurred, the PI affected, the steps the organization is taking, plus information about the business’ complaints process and the individual’s rights under PIPEDA.

The business could be obliged to notify other organizations or government if the business believes that these other bodies may be able to reduce the risk of harm.

Reports must be made “as soon as feasible after the breach”. The express goal is in part to reduce risks of harm, so reports may need to be made well before the full story of the breach is known.

Another big change with this new legislation is that businesses shall be obliged to keep and maintain records of EVERY breach of security safeguards involving PI; i.e. whether or not it meets any particular harm test. In addition, businesses must, on request, provide the Commissioner with access to copies of these records. (So businesses will be obliged to maintain records which will help the Commissioner and any claimant build a case against the business.)

The regulations require records of breach to be maintained for 24 months after the date that the business determined that the breach occurred. In addition, these records must enable the Commissioner to verify compliance with the business’ reporting obligations to the Commissioner and to individuals, if there has been a breach which creates a real risk of significant harm.

Any breach of these obligations may result in the business being charged with an offence, which could result in a fine not exceeding $100,000.

The obligation to report privacy breaches is not new to many jurisdictions, but will be new to much of Canada, and compels every business to sharpen their privacy practices – because going public with a breach can make the impact a much larger mess.

You can find the federal Privacy Commissioner’s Guidelines on reporting breaches here.


This update is intended for general information only. If you have questions about the above information, please contact Rob Aske, or a member of our information technology, internet and privacy group.

SHARE

Archive

Search Archive


 
 

Compensation for expropriation: Fair, but not more than fair

June 17, 2024

By Erin Best, Stephen Penney, Robert Bradley, Megan Kieley1 and Elizabeth Fleet1 Expropriation is a live issue in Canadian courts. The Supreme Court of Canada’s decision to broaden the test for constructive expropriation in Annapolis…

Read More

Changes affecting federally regulated employers

June 10, 2024

By Killian McParland and Sophie Poulos There have been many changes in recent months affecting employers governed by federal labour and employment laws. In September 2024, Stewart McKelvey will be hosting a webinar to review…

Read More

Impending changes to Nova Scotia’s Workers’ Compensation Act – Gradual onset stress

June 4, 2024

By Mark Tector and Annie Gray What’s changing? Currently, workers’ compensation coverage in Nova Scotia applies to only a narrow subset of psychological injuries. Specifically, in Nova Scotia – as in all Atlantic Provinces –…

Read More

Appeal Courts uphold substantial costs awards for regulators

May 22, 2024

By Sean Kelly & Michiko Gartshore Professional regulators can incur substantial costs through discipline processes. These costs are often associated with investigations, hearings as well as committee member expenses and are an unfortunate by-product of…

Read More

Less than two weeks to go … Canada Supply Chain Transparency Reports are due May 31st

May 21, 2024

By Christine Pound, ICD.D., Twila Reid, ICD.D., Sarah Dever Letson, CIPP/C, Sheila Mecking, Hilary Newman, and Daniel Roth Introduction The first reports under the Fighting Against Forced Labour and Child Labour in Supply Chains Act (the…

Read More

Court upheld municipality’s refusal to disclose investigation report

May 1, 2024

By Sheila Mecking and Sarah Dever Letson A recent decision out of the Court of King’s Bench of New Brunswick,[1] upheld the Municipality of Tantramar’s decision to withhold a Workplace Assessment Report under section 20(1)…

Read More

Occupational Health and Safety sentencing decision – Nova Scotia

April 29, 2024

By Sean Kelly & Tiegan Scott Earlier this month, the Provincial Court of Nova Scotia issued its sentencing decision in R v The Brick Warehouse LP, 2024 NSPC 26, imposing a monetary penalty of $143,750 (i.e.,…

Read More

Canada 2024 Federal Budget paves the way for Open Banking

April 22, 2024

By Kevin Landry On April 15, 2024, the Canadian federal budget was released. Connected to the budget was an explanation of the framework for Canada’s proposed implementation of Open Banking (sometimes called consumer-driven banking). This follows…

Read More

Reset for renewables: Nova Scotia overhauls energy regulation and governance in advance of influx of renewable energy

April 5, 2024

By Nancy Rubin and James Gamblin The Government of Nova Scotia has embarked on a path to dramatically reshape the regulation and governance of the energy sector with the passage of Bill 404, the Energy…

Read More

An employer’s guide to human rights law in Atlantic Canada

April 2, 2024

By Kathleen Starke and Annie Gray Human rights landscape Human rights legislation prohibits discrimination in specific contexts, including employment and the provision of services. In all Atlantic Provinces, Human Rights Commissions are responsible for enforcing…

Read More

Search Archive


Scroll To Top