Breach Notification

When an organization experiences a breach of security safeguards involving personal information, PIPEDA requires organizations to take specific actions. All breaches will trigger the requirement to retain records of the breach for a period of 24 months. Breaches that create a real risk of significant harm will trigger obligations to report the breach to the Privacy Commissioner and notify the affected individual(s) and any organizations that "may be able to reduce the risk of harm that could result from [the breach] or mitigate that harm," which could include law enforcement. The definition of significant harm is broad and includes "bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property."

Organizations determine whether there is a real risk of significant harm based on what is reasonable in the circumstances. Factors that are relevant to the determination are the sensitivity of the personal information involved in the breach and the probability of misuse. The number of affected persons is not a factor — a breach affecting one person will create a real risk of significant harm under the same conditions of a breach affecting one million people. Alberta's Personal Information Protection Act3 (PIPA), also has mandatory breach notification requirements, so brands need to consider PIPA's applicability when preparing for and responding to data breaches. Breach notification obligations can make breaches even more costly for the affected organization. An incident response plan and regular testing of that plan are critical. If a breach does occur, an incident response plan can minimize the damage the brand experiences.

  1. Personal Information Protection Act, SA 2003, c P-6.5


Storing or accessing the personal information of Canadian residents from outside of Canada is not prohibited, but presents some compliance challenges. Alberta's PIPA requires that organizations notify individuals if they transfer personal information to a service provider located outside Canada. Québec's privacy legislation requires organizations to take all reasonable steps to ensure that personal information that is transferred cross-border for processing will not be used for new purposes or communicated to third parties without the consent of the individuals concerned.

Federally, under PIPEDA the OPC's current position is that a transfer of personal information to service providers located outside Canada is a use of personal information, not a disclosure of personal information. This means that separate consent for the transfer is not required, though the OPC has stated that under PIPEDA's "openness" principles, notice of such transfers should be provided to affected individuals.

To view the original article click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.