Starting on November 1, organizations across Canada subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) will be required to provide notice of certain privacy breaches.
The breach reporting requirements relate to a "breach of security safeguards," which is defined in PIPEDA as: the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization's security safeguards, or from a failure to establish those safeguards.
If it is reasonable to believe the breach of security safeguards creates a real risk of significant harm to the individual:
- Organizations will be required to report to the privacy commissioner of Canada any breach of security safeguards involving personal information under its control, if it is reasonable to believe the breach creates a real risk of significant harm to an individual;
- Organizations will be required to notify individuals of any breach of security safeguards involving personal information under its control, if it is reasonable to believe the breach creates a real risk of significant harm to an individual, unless such notification is prohibited by law; and
- Organizations may have to notify other organizations if they may be able to reduce the risk of harm.
The form and content of the required notices are set out in regulations.
There is no specific time requirement to give notice; however, the required notices must be provided as soon as feasible after the organization determines the breach has occurred. That will vary on a case-by-case basis.
In addition to the form and content requirements of notices, the regulations require organizations to maintain certain records of every breach.
Guidance from the privacy commissioner states that the minimum expectation for the records includes information about:
- the date or estimated date of the breach;
- a general description of the circumstances of the breach;
- the nature of information involved in the breach;
- whether or not the breach was reported to the privacy commissioner of Canada/individuals were notified; and
- if the breach was not reported, a brief explanation of why the breach was determined not to pose a real risk of significant harm.
Similar breach reporting requirements already exist in Alberta and Australia, and in the EU under the GDPR. The new PIPEDA rules will apply to a broad range of commercial activities in provinces without substantially similar private sector privacy laws, as well as federal works and undertakings (telecommunications, interprovincial transportation, banks, etc.) across the country.
About Norton Rose Fulbright Canada LLP
Norton Rose Fulbright is a global law firm. We provide the world's preeminent corporations and financial institutions with a full business law service. We have 3800 lawyers and other legal staff based in more than 50 cities across Europe, the United States, Canada, Latin America, Asia, Australia, Africa, the Middle East and Central Asia.
Recognized for our industry focus, we are strong across all the key industry sectors: financial institutions; energy; infrastructure, mining and commodities; transport; technology and innovation; and life sciences and healthcare.
Wherever we are, we operate in accordance with our global business principles of quality, unity and integrity. We aim to provide the highest possible standard of legal service in each of our offices and to maintain that level of quality at every point of contact.
For more information about Norton Rose Fulbright, see nortonrosefulbright.com/legal-notices.
Law around the world
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.