As of November 1, 2018, organizations across Canada subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) will be required to provide notice of certain privacy breaches.
Through an order-in-council, the federal government has announced that previous PIPEDA breach notification amendments will come into force this November.
PIPEDA will require organizations to provide certain notifications of a breach when it is reasonable to believe the breach creates a real risk of significant harm to the individual. In particular:
Organizations will be required to report to the Privacy Commissioner of Canada any breach of security safeguards involving personal information under their control, if it is reasonable to believe the breach creates a real risk of significant harm to an individual;
Organizations will be required to notify individuals of any breach of security safeguards involving personal information under their control, if it is reasonable to believe the breach creates a real risk of significant harm to an individual, unless such notification is prohibited by law; and
Organizations may have to notify other organizations if they may be able to reduce the risk of harm.
The form and content of the required notices will be set out in regulation. While Canada has proffered draft regulations, no final regulations have been announced. You can read our article on the draft regulations here.
There is no specific time requirement to give notice; however, the required notices must be provided as soon as feasible after the organization determines the breach has occurred. That will vary on a case-by-case basis.
In addition to the form and content requirements of notices, the draft regulations, if adopted, will require organizations to maintain certain records of every breach. This is a broad requirement that may extend beyond those breaches that create a real risk of significant harm.
These breach notification requirements will be a significant change in Canada’s privacy laws. Similar requirements already exist in Alberta and Australia, and will be in force in the EU under the GDPR in May. They will apply to a broad range of commercial activities in provinces without substantially similar private sector privacy laws, as well as to federal works and undertakings (telecommunications, interprovincial transportation, banks, etc.) across the country.
In anticipation of these requirements, organizations should be updating their breach response plans and record-keeping practices.