Data Protection in Canada

Breach notification in Canada

Currently, PIPEDA, PIPA Alberta, and the Quebec Private Sector Act are the only Canadian Privacy Statutes ‎with breach notification requirements.‎

In Alberta, an organization having personal information under its control must, without ‎unreasonable delay, provide notice to the Commissioner of any incident involving the ‎loss of or unauthorized access to or disclosure of personal information where a ‎reasonable person would consider that there exists a real risk of significant harm to an ‎individual as a result.‎

Notification to the Commissioner must be in writing and include:‎

  • A description of the circumstances of the loss or unauthorized access or disclosure
  • The date or time period during which the loss or unauthorized access or disclosure ‎occurred
  • A description of the personal information involved in the loss or unauthorized access ‎or disclosure
  • An assessment of the risk of harm to individuals as a result of the loss or ‎unauthorized access or disclosure
  • An estimate of the number of individuals to whom there is a real risk of significant ‎harm as a result of the loss or unauthorized access or disclosure
  • A description of any steps the organization has taken to reduce the risk of harm to ‎individuals
  • A description of any steps the organization has taken to notify individuals of the loss ‎or unauthorized access or disclosure, and
  • The name and contact information for a person who can answer, on behalf of the ‎organization, the Commissioner’s questions about the loss of unauthorized ‎access or disclosure

Where an organization suffers a loss of or unauthorized access to or disclosure of ‎personal information as to which the organization is required to provide notice to the ‎Commissioner, the Commissioner may require the organization to notify the individuals ‎to whom there is a real risk of significant harm. This notification must be given directly ‎to the individual (unless specified otherwise by the Commissioner) and include:‎

  • A description of the circumstances of the loss or unauthorized access or disclosure
  • The date on which or time period during which the loss or unauthorized access or ‎disclosure occurred
  • A description of the personal information involved in the loss or unauthorized access ‎or disclosure
  • A description of any steps the organization has taken to reduce the risk of harm, ‎and
  • Contact information for a person who can answer, on behalf of the organization, ‎questions about the loss or unauthorized access or disclosure

The Commissioner has recently changed its practices to recognize that most organizations who report a breach have already issued notice to the affected individual.  The Commissioner will now generally only issue direction if the notice to the affected individual is deemed insufficient or if there is another material issue arising from the breach report.

The breach notification provisions under PIPEDA are very similar to the breach ‎notification provisions under PIPA Alberta. PIPEDA requires organizations to notify both the affected individuals and the federal regulator if the breach creates a real risk of significant harm to the individuals. Further, under PIPEDA, organizations must also ‎keep a record of ALL information security incidents, even those which do not meet the ‎risk threshold of a 'real risk of significant harm.'

The Quebec Private Sector Act, as modified by Bill 64, introduced a number of new obligations in ‎connection with 'confidentiality incidents,' which are defined as unauthorized access, use, or communication of personal ‎information, or the loss of such information, which were previously absent in Quebec privacy law‎. These include:‎

  • A general obligation to ‎prevent, mitigate and remedy security incidents
  • The obligation to notify the CAI and the person affected ‎whenever the incident presents a risk of ‎‎'serious ‎injury.' Factors to consider when evaluating the ‎risk of serious injury include the sensitivity of the ‎information ‎concerned, the anticipated consequences of the ‎use of the information and the likelihood ‎that the information will ‎be used for harmful purposes. Although the Quebec Private Sector Act requires organizations to act 'promptly' and 'with diligence' in response to confidentiality breaches, it does not provide specific timeframes within which such notifications must be made, and
  • The obligation on to keep a register of confidentiality ‎incidents, with the CAI having extensive audit rights. The obligation to record confidentiality incidents in the register applies even if the organization has established that the 'serious injury' threshold has not been met. 

Where an organization suffers a confidentiality incident and it is determined that disclosure to the CAI is required on the basis that there is a risk of “serious injury”, the written breach report must include:

  • The name of the body affected and any QuĂŠbec business number assigned to such body
  • The name and contact information of the person to be contacted in that body with regard to the incident
  • A description of the personal information covered by the incident or, if that information is not known, the reasons why it is impossible to provide such a description
  • A brief description of the circumstances of the incident and what caused it, if known
  • The date or time period when the incident occurred or, if that is not known, the approximate time period
  • The date or time period when the body became aware of the incident
  • The number of persons concerned by the incident and the number of those who reside in QuĂŠbec or, if that is not known, the approximate numbers
  • A description of the elements that led the body to conclude that there is a risk of serious injury to the persons concerned, such as the sensitivity of the personal information concerned, any possible ill-intentioned uses of such information, the anticipated consequences of its use and the likelihood that such information will be used for injurious purposes;
  • The measures the body has taken or intends to take to notify the persons whose personal information is concerned by the incident, and the date on which such persons were notified, or the expected time limit for the notification
  • The measures the body has taken or intends to take after the incident occurred, including those aimed at reducing the risk of injury or mitigating any such injury and those aimed at preventing new incidents of the same nature, and the date or time period on which the measures were taken or the expected time limit for taking the measures, and
  • If applicable, an indication that a person or body outside QuĂŠbec that exercises similar functions to those of the CAI with respect to overseeing the protection of personal information has been notified of the incident.

Where the risk of 'serious injury' has been established, affected individuals must also be notified. This notice must be provided directly to affected individuals, subject to certain limited exceptions, and include:

  • A description of the personal information covered by the incident or, if that information is not known, the reasons why it is impossible to provide such a description
  • A brief description of the circumstances of the incident
  • The date or time period when the incident occurred or, if that is not known, the approximate time period
  • A brief description of the measures the body has taken or intends to take after the incident occurred in order to reduce the risks of injury
  • The measures that the body suggests the person concerned take in order to reduce the risk of injury or mitigate any such injury, and
  • The contact information where the person concerned may obtain more information about the incident

Continue reading

  • no results

Previous topic
Back to top