As of November 1, 2018, organizations across Canada subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) will be required to provide notice of certain privacy breaches.
Through an Order in Council, the Federal Government has announced that previous PIPEDA breach notification amendments will come into force this November.
PIPEDA will require organizations to provide certain notifications of a breach when it is reasonable to believe that the breach creates a real risk of significant harm to the individual. In particular:
- Organizations will be required to report to the Privacy Commissioner of Canada any breach of security safeguards involving personal information under its control, if it is reasonable to believe the breach creates a real risk of significant harm to an individual;
- Organizations will be required to notify individuals any breach of security safeguards involving personal information under its control, if it is reasonable to believe the breach creates a real risk of significant harm to an individual, unless such notification is prohibited by law; and
- Organizations may have to notify other organizations if they may be able to reduce the risk of harm.
The form and content of the required notices will be set out in regulation. Canada has proffered draft regulations, however, no final regulations have been announced. You can read our article on the draft regulations here.
There is no specific time requirement to give notice, however, the required notices must be provided as soon as feasible after the organization determines the breach has occurred. That will vary on a case by case basis.
In addition to the form and content requirements of notices, the draft regulations also purport to require organizations to maintain certain records of every beach. This is a broad requirement which may extend beyond those breaches which create a real risk of significant harm.
These breach notification requirements will be a significant change in Canada’s privacy laws. Similar requirements already exist in Alberta and Australia, and will be in force in the EU under the GDPR in May. They will apply to a broad range of commercial activities in provinces without substantially similar private sector privacy laws, as well as federal works and undertakings (telecommunications, interprovincial transportation, banks etc.) across the country.
In anticipation of these requirements, organizations should be updating their breach response plans and record keeping practices.