Client Update: It’s here now! Breach reporting for Canadian businesses under PIPEDA
You likely heard rumblings over the spring and summer, but now it’s here. Canada’s federal privacy law known by the acronym PIPEDA (Personal Information Protection and Electronic Documents Act) adds privacy breach reporting as of November 1, 2018.
The gist of the breach reporting obligations is as follows:
A business will be required to report to the Privacy Commissioner a breach involving personal information (“PI”) under its control (including with a service provider) if it is reasonable to believe that the breach creates a real risk of significant harm to the individual. (The Privacy Commissioner notes that it does not matter if it is one or thousands of affected persons).
Significant harm is defined to include humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on credit record, and damage to or loss of property.
Factors relevant to the real risk of significant harm include sensitivity of the PI, and the probability that it may be misused.
The report to the Commissioner would need to describe the breach, when it occurred, the PI that is subject, the estimated number of individuals affected, and the steps that the organization is taking in response.
Your business would also need to notify individuals whose PI is involved, if that breach creates a real risk of significant harm to the individual.
The notice to the individual would need to describe the breach, when it occurred, the PI affected, the steps the organization is taking, plus information about the business’ complaints process and the individual’s rights under PIPEDA.
The business could be obliged to notify other organizations or government if the business believes that these other bodies may be able to reduce the risk of harm.
Reports must be made “as soon as feasible after the breach”. The express goal is in part to reduce risks of harm, so reports may need to be made well before the full story of the breach is known.
Another big change with this new legislation is that businesses shall be obliged to keep and maintain records of EVERY breach of security safeguards involving PI; i.e. whether or not it meets any particular harm test. In addition, businesses must, on request, provide the Commissioner with access to copies of these records. (So businesses will be obliged to maintain records which will help the Commissioner and any claimant build a case against the business.)
The regulations require records of breach to be maintained for 24 months after the date that the business determined that the breach occurred. In addition, these records must enable the Commissioner to verify compliance with the business’ reporting obligations to the Commissioner and to individuals, if there has been a breach which creates a real risk of significant harm.
Any breach of these obligations may result in the business being charged with an offence, which could result in a fine not exceeding $100,000.
The obligation to report privacy breaches is not new to many jurisdictions, but will be new to much of Canada, and compels every business to sharpen their privacy practices – because going public with a breach can make the impact a much larger mess.
You can find the federal Privacy Commissioner’s Guidelines on reporting breaches here.
This update is intended for general information only. If you have questions about the above information, please contact Rob Aske, or a member of our information technology, internet and privacy group.
Archive
By Brian Tabor, QC and Colin Piercey Bill 81 and Bill 15, receiving Royal Assent in 2013 and 2014 respectively, are due to take effect this month. On June 30, 2017, amendments to the Builders’…
Read MoreNew Brunswick continues to be a thought leader in the field of regulation of recreational cannabis and provides us with a first look at what the provincial regulation of recreational cannabis might look like. New…
Read MoreRick Dunlop and Richard Jordan In Stewart v. Elk Valley Coal Corporation, 2017 SCC 30, a six-judge majority of the Supreme Court of Canada (“SCC”) confirmed a Tribunal decision which concluded that the dismissal of an…
Read MoreBy Kevin Landry New Brunswick’s Working Group on the Legalization of Cannabis released an interim report on June 20, 2017. It is a huge step forward in the legalization process and the first official look at how legalization…
Read MoreRick Dunlop and Kevin Landry As we explained in The Cannabis Act- Getting into the Weeds, the Cannabis Act introduces a regulatory regime for recreational marijuana in Canada. The regime promises to be complex. The details of legalization will be…
Read MoreOn April 1, 2017, the New Brunswick Lobbyists’ Registration Act was proclaimed into force (the “Act”), requiring active professional consultant or in-house lobbyists to register and file returns with the Office of the Integrity Commissioner of New…
Read MoreJoe Thorne and Jessica Habet How far can an insurer dig into the Plaintiff’s history to defend a claim? And how much information is an insurer entitled to have in order to do so? In English v.…
Read MoreNeil Jacobs, QC, Joe Thorne and Meaghan McCaw The Newfoundland and Labrador Court of Appeal recently confirmed that accounting/auditing firms may take on several mandates in respect of companies that may or do become insolvent in Wabush Hotel Limited…
Read MoreJoe Thorne and Brandon Gillespie An independent medical examination (“IME”) is a useful tool for insurers. An IME is an objective assessment of the claimant’s condition for the purpose of evaluating coverage and compensation. Where a…
Read MoreOn June 2, 2017 the Supreme Court of Canada released its decision in Saadati v. Moorhead, 2017 SCC 28, clarifying the evidence needed to establish mental injury. Neither expert evidence nor a diagnosed psychiatric illness…
Read More