• About
  • Offices
  • Careers
  • News
  • Students
  • Alumni
  • Payments
  • FR
Background Image
Bennett Jones Logo 100 Years
  • People
  • Expertise
  • Knowledge
  • Search
  • FR Menu
  • Search Mobile
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
View all
Practices
Corporate Litigation Regulatory Tax View all
Industries
Capital Projects Energy Funds & Finance Mining View all
Advisory
Crisis & Risk Management ESG Strategy and Solutions Governmental Affairs & Public Policy
View Client Work
International Experience
Insights News Events
New Energy Economy Series Business Law Talks Podcast Economic Outlook
ESG & the CIO Subscribe
Bennett Jones Centennial Menu
People
Practices
Industries
Advisory Services
Client Work
About
Offices
News
Careers
Insights
Law Students
Events
Search
Alumni
Payments
Subscribe

Stay informed on the latest business and legal insights and events.

LinkedIn LinkedIn Twitter Twitter Vimeo Vimeo
 
Blog

Are You Ready for Mandatory Breach Reporting and Notification?

April 19, 2018

Written By Ruth E. Promislow, Martin P.J. Kratz and Katherine Rusk

Almost three years after the Digital Privacy Act was passed, the federal government has finalized regulations on mandatory breach notification, reporting, and recordkeeping for the private sector in Canada. The regulations were published yesterday and by separate Order in Council will come into force November 1, 2018, under the Personal Information Protection and Electronic Documents Act (PIPEDA).

PIPEDA applies to the collection, use, or disclosure of personal information during the course of a commercial activity and across borders and is applicable to the federally regulated private sector as well as most provinces where PIPEDA applies to the provincially regulated private sector.1 A breach under PIPEDA requires three elements: (1) the collection of personal information; (2) a violation or breach of the obligation to maintain adequate security for that personal information (security safeguards); and (3) where the breach results in the loss of, unauthorized access to or unauthorized disclosure of personal information.

Mandatory reporting will be required where there is a "real risk of significant harm" due to the breach. PIPEDA defines "significant harm" as including: humiliation, damage to reputation or relationships and identity theft.

If there is a breach with a real risk of significant harm, the following three obligations on the part of the breached organization will come into play: (1) notification of the impacted individuals; (2) a written report to the Office of the Privacy Commissioner (OPC); and (3) retention of a breach record. Organizations may also be required to notify third parties if they are able to mitigate harm to affected individuals.

1. Notification of the Impacted Individuals

Direct notification must be provided to the impacted individuals "as soon as feasible". The notification must include certain prescribed elements, including: a description of the breach and the information compromised, the steps the organization has taken to reduce harm, a description of steps the impacted individuals can take to reduce harm, and contact information for further information. The notification can be provided in any "reasonable" manner, including in person, by email, or by telephone.

There is also an option to provide indirect notification if direct notification would cause further harm to the individual, cause undue hardship to the organization, or is not possible.

A deliberate failure to notify the affected individuals can be considered an offence under the new regulations, leading to a fine of up to $100,000.

2. Written Report to the OPC

A written report of a breach must be made in writing "as soon as feasible" to the OPC. The report must contain prescribed elements such as: a description of the breach, the date, the number of individuals impacted, the type of personal information that has been compromised, and a description of the steps taken to reduce the risk of harm.

A deliberate failure to report to the OPC can be considered an offence under the new regulations, leading to a fine of up to $100,000.

3. Recordkeeping

The organization must maintain a record of every breach and security safeguard for at least 24 months after the date on which the organization learned of the breach. That record can be requested by the OPC.

A deliberate failure to record the breach can be considered an offence under the new regulations, leading to a fine of up to $100,000.

Having an incident response plan is an integral part of ensuring compliance with your organization's obligations under PIPEDA and other law. A key part of that plan are advance preparations for mandatory breach notification. The Bennett Jones Cybersecurity team can help update your existing plan to reflect these new requirements or draft a customized plan to ensure your organization is prepared when a data breach occurs.


1 Certain Provinces, such as Alberta, British Columbia and Quebec, have provincial private sector privacy legislation that has been declared substantially similar to PIPEDA. Of those Alberta’s Personal Information Protection Act has had mandatory private sector breach reporting since 2010

Download PDF

Author

  • Ruth E. Promislow Ruth E. Promislow, Partner

Celebrating our Centennial Chronicle

Related Links

  • Insights
  • Media
  • Subscribe

Recent Posts

Blog

Field Notes: Recent Pesticide Initiatives in Canada

January 26, 2023
       

Blog

Canada Border Services Agency Publishes Update of [...]

January 25, 2023
       

Blog

Balancing Act: Facilitating Trade and Worker Protection [...]

January 18, 2023
       

Blog

Accounting for Oil and Gas Revenues Without an Operating Agreement

January 10, 2023
       

Blog

Ontario Court of Appeal Considers Interpretation of [...]

January 09, 2023
       
Bennett Jones Centennial Footer 100 Years
Bennett Jones Centennial Footer 100 Years
About
  • Leadership
  • Diversity
  • Community
  • Innovation
  • Security
  • History
Offices
  • Calgary
  • Edmonton
  • Montréal
  • Ottawa
  • Toronto
  • Vancouver
  • New York
Connect
  • Insights
  • News
  • Events
  • Careers
  • Students
  • Alumni
Subscribe

Stay informed on the latest business and legal insights and events.

LinkedIn LinkedIn Twitter Twitter Vimeo Vimeo
© Bennett Jones LLP 2023. All rights reserved.
  • Privacy Policy
  • Disclaimer
  • Terms of Use
Logo Bennett Jones