New Canadian Privacy Breach Notification Rules Take Effect November 1, 2018

PIPEDA Breach Rules

With rising cases of high profile cybersecurity breaches, such as Facebook-Cambridge Analytica, the Canadian Government recently outlined the long-awaited implementation of key changes to the Personal Information Protection and Electronic Documents Act (“PIPEDA”). PIPEDA generally applies to private sector organizations in any province or territory (except Alberta, British Columbia and Quebec) that collect, use or disclose personal information in the course of commercial activity. PIPEDA also applies to federally regulated organizations that conduct business in Canada. Such private sector organizations governed by PIPEDA now have less than four months to prepare for the legislative changes which include mandatory data breach reporting and notification. These new provisions come into force on November 1, 2018.

The changes will have sweeping compliance obligations and carry risk of financial penalties. Organizations that knowingly fail to report to the Privacy Commissioner of Canada (“the Commissioner”) or notify affected individuals of a breach that poses a real risk of significant harm, or knowingly fail to maintain a record of all breaches, could face fines of up to $100,000.

What is Required of Organizations?

The new rules will require organizations that experience a data breach to report the incident to the Commissioner and notify the impacted parties. Organizations will be required to report and notify in all circumstances where the breach reasonably creates “a real risk of significant harm to the individual.” This expansive harm trigger defines “significant harm” as including “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damages to or loss of property.”

When such a breach occurs, an organization will have to report and notify “as soon as feasible.”

Breach Reporting and Notification Requirements

When reporting to the Commissioner, an organization must provide the appropriate information in writing, and must include such information as: the breach and its cause, and estimated number of people at risk, and a description of the personal information that was compromised.  

In addition to reporting to the Commissioner, affected consumers need to be notified. The affected consumers must be provided with:
1) A description of the circumstances of the breach;
2) The day on which, or the period during which, the breach occurred or, if neither is known, the approximate day or period;
3) A description of the personal information that is the subject of the breach to the extent that the information is known;
4) A description of the steps that the organization has taken to reduce the risk of harm to affected individuals that could result from the breach or to mitigate that harm;
5) A description of the steps that affected individuals could take to reduce the risk of harm that could result from the breach or to mitigate that harm; and
6) Contact information that the affected individual can use to obtain further information about the breach.

Record Keeping Requirements

PIPEDA also requires an organization to create and maintain a record of all breaches, even those that do not meet the “risk of significant harm” threshold. These records must be kept for two years from the day the organization determined a breach occurred, and must contain enough information to enable the Commissioner to verify compliance with the breach reporting provisions.

Given the November 1, 2018 implementation date, it is essential all organizations develop policies and procedures to ensure compliance with the legislation and consistent reporting and record keeping.

If you have any questions relating to this article or wish to discuss your particular concerns, you may reach the author at iwick@kmblaw.com or (905) 276-0425.​