Starting on November 1, organizations across Canada subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) will be required to provide notice of certain privacy breaches.
The breach reporting requirements relate to a “breach of security safeguards,” which is defined in PIPEDA as: the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards, or from a failure to establish those safeguards.
If it is reasonable to believe the breach of security safeguards creates a real risk of significant harm to the individual:
- Organizations will be required to report to the privacy commissioner of Canada any breach of security safeguards involving personal information under its control, if it is reasonable to believe the breach creates a real risk of significant harm to an individual;
- Organizations will be required to notify individuals of any breach of security safeguards involving personal information under its control, if it is reasonable to believe the breach creates a real risk of significant harm to an individual, unless such notification is prohibited by law; and
- Organizations may have to notify other organizations if they may be able to reduce the risk of harm.
The form and content of the required notices are set out in regulations.
There is no specific time requirement to give notice; however, the required notices must be provided as soon as feasible after the organization determines the breach has occurred. That will vary on a case-by-case basis.
In addition to the form and content requirements of notices, the regulations require organizations to maintain certain records of every breach.
Guidance from the privacy commissioner states that the minimum expectation for the records includes information about:
- the date or estimated date of the breach;
- a general description of the circumstances of the breach;
- the nature of information involved in the breach;
- whether or not the breach was reported to the privacy commissioner of Canada/individuals were notified; and
- if the breach was not reported, a brief explanation of why the breach was determined not to pose a real risk of significant harm.
Similar breach reporting requirements already exist in Alberta and Australia, and in the EU under the GDPR. The new PIPEDA rules will apply to a broad range of commercial activities in provinces without substantially similar private sector privacy laws, as well as federal works and undertakings (telecommunications, interprovincial transportation, banks, etc.) across the country.