New Mandatory Data Breach Obligations Under Canada's Privacy Law

Canada’s federal privacy law the Personal Information Protection and Electronic Documents Act, or PIPEDA for short, just got an upgrade. Effective November 1, 2018, organizations regulated under PIPEDA have mandatory reporting obligations if they experience a security breach involving personal information. Failure to comply with the reporting obligations can result in fines of up to $100,000 per violation and, of course, reputational damage. Furthermore, not only do organizations risk liability for non‑compliance, but directors of companies can also face personal liability under PIPEDA’s data breach requirements.

Does PIPEDA apply to your organization? There is a good chance it does. PIPEDA applies to any organization that collects, uses, or discloses personal information if that personal information crosses provincial borders. Additionally, non-Canadian organizations that collect Canadian personal information may also be subject to PIPEDA.

If an organization subject to PIPEDA experiences a “breach of security safeguards involving personal information under its control,” three obligations kick in:

  1. First, the organization must keep records of the breach. These records must be kept regardless of whether or not there is a real risk of significant harm. The records must contain certain information required by the Office of the Privacy Commissioner and must be kept for at least two years.
  2. Second, the organization must report the breach to the Office of the Privacy Commissioner if it is reasonable in the circumstances to believe that the breach of Canadian security creates a real risk of significant harm to an individual. Significant harm includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property. When determining whether the breach has created a real risk of significant harm, consider the sensitivity of the personal information that was breached and the probability that such information will be misused.
  3. Third, the organization must report the breach to the affected individual(s) if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual. Affected individuals must be notified of the breach as soon as feasible. Like with the notice to the Office of the Privacy Commissioner, the notice to affected individuals must contain certain information.

To prepare for a data breach, all organizations should have a data breach response plan in place. This will help you control the situation, remain calm, and remain legally compliant in a quick moving and very stressful situation.

If you’ve experienced a privacy breach, or are looking for assistance with putting together a data breach response plan, contact the author of this blog post, David McHugh, (located in Vancouver, BC) at [email protected] or 604-629-5401.

The above blog post is provided for informational purposes only and has not been tailored to your specific circumstances. This blog post does NOT constitute legal advice or other professional advice and you may not rely on it as such.