The federal government has set November 1, 2018 as the date the mandatory breach reporting provisions of the Personal Information Protection and Electronic Documents Act ("PIPEDA") will come into effect.
The breach reporting obligation will apply to all federally regulated employers (including banks, telecommunication companies, airlines, and other interprovincial businesses) and private sector employers operating in the Yukon, Northwest Territories and Nunavut.
For provincially regulated employers, Alberta is currently the only province with mandatory private sector privacy breach reporting requirements. However, we also recommend that British Columbia-based private sector organizations report privacy breaches to the Office of the Information and Privacy Commissioner for British Columbia on a voluntary basis as a precautionary measure.
Both Alberta and the federal government have adopted the "real risk of significant harm" standard. Key elements of this test relate to the sensitivity of the personal information and the likelihood that it could be misused. Where a "real risk of significant harm" is posed by the leak or theft of personal information, employers must report the breach of privacy to the affected individuals, e.g. employees, as well as to the privacy commissioner.
Employers are also required to take steps to mitigate the harm to those individuals where possible. This may involve plugging the leak or requiring that erroneously distributed documents containing private information be deleted or destroyed. Employers are also required to notify third-parties that may be able to assist in the mitigation of harm where necessary.
Finally, employers should maintain a record of data breaches, whether or not they meet the "real risk of significant harm" standard as they may be reviewed by the privacy commissioner.
With thanks to articling student Jason Harmon for his assistance drafting this post.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.