Alberta has had mandatory breach notification requirements for private organizations under its Personal Information Protection Act since 2010. The objective of mandatory breach notification is to ensure that individuals whose personal information has been the subject to a privacy breach get adequate and timely notification in order to protect themselves from potential harm that may result from such unauthorized access or disclosure.
With the approval of the Breach Security Safeguards Regulations, the mandatory breach notification provisions under the federal Personal Information Protection and Electronic Documents Act (PIPEDA) will come into force and be required of all private organizations that are subject to PIPEDA. The breach notification requirements were part of the Digital Privacy Act (otherwise known as Bill S-4).
The amendments to PIPEDA require an organization to report to the Privacy Commissioner of Canada and to affected individuals of a privacy breach where "it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual." This will most likely be triggered where sensitive personal information, such as financial information or health information, is compromised. However, each and every potential security breach should be considered on a case by case basis.
The Regulations, as they are currently drafted, will require such notification to include (amongst other information):
- a description of the breach, a description of what personal information was affected,
- steps that the organization has taken to rectify the breach,
- steps that an individual take to protect themselves from risk of harm, and
- a way to contact the organization for further information.
The Regulation also indicates the manner in which an organization must notify individuals of the breach (i.e. email, letter, telephone or in person). In certain circumstances, an organization may provide indirect notification to affected individuals, such as by posting a message on its website or advertisement in a local paper.
The proposed Regulations are currently in the consultation and have yet been approved. However, once approved, this will impact all private organization involved in commercial activities in most provinces (Alberta and British Columbia are not included as they have substantially similar privacy legislation, and in Ontario on matters related to health care only), any organization that has cross border business operations, and those that are involved in a federal undertaking (e.g. telecommunications and banking).
For more information on the Regulation and what may be required of your organization should a privacy breach occur, we recommend that contact Brownlee LLP or visit http://www.gazette.gc.ca/rp-pr/p1/2017/2017-09-02/html/reg1-eng.php
Mandatory data breach notification under PIPEDA provides an increased level of protection for Canadians and other consumers in the Canadian marketplace by allowing them to take steps to protect themselves from potential harm resulting from that breach. The proposed Regulations will enhance this protection in a number of ways. By ensuring that all breach notifications contain a core set of information and are provided in an appropriate manner, the proposed Regulations will result in more effective notifications by increasing the probability that affected individuals will receive the information and understand its significance.