New Canadian Data Breach Notification Requirements Take Effect as PIPEDA Amendments Come Into Force
On November 1, 2018, the long-awaited amendments to Canada’s main federal data privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), take effect.
The new amendments, first passed by the Canadian Parliament in 2015, will require entities that collect, use, or disclose personal information of Canadian residents in the commercial context to notify the affected individuals and the federal Office of the Privacy Commissioner when there has been unauthorized access to personal information, or a loss of personal information, if the access or loss would create a real risk of significant harm to the individuals.
Personal information under PIPEDA is defined broadly as “information about an identifiable individual.”
If consumer notice is required, the entity must also notify any other organization or government institution if the other institution may be able to reduce the risk of harm. Previously, whether consumer notification was required was determined by provincial law.
What are the methods of notification?
PIPEDA’s permitted methods for consumer notification are more permissive than that of many U.S. data breach notification laws.
Under PIPEDA, an entity must provide “direct notification” to the affected individuals, either in person, by telephone, mail, email, or any other form of communication that a reasonable person would consider appropriate under the circumstances.
In addition, PIPEDA requires “indirect notification” to consumers when direct notification would likely cause further harm to the affected individuals or undue hardship for the entity, or the entity lacks contact information for the affected individuals. In such circumstances, the entity must provide notification indirectly through “public communication” or similar measures that could reasonably be expected to reach the affected individuals.
Notification to the Privacy Commissioner must be in writing and sent by secure means. As to timing, notification to both individuals and to the Privacy Commissioner must be provided “as soon as feasible after the organization determines that a breach has occurred.”
What should be included in a notification?
PIPEDA also outlines content requirements for notification to both consumers and the Privacy Commissioner.
Notification to the affected individuals must include the following: (a) a description of the circumstances of the breach; (b) the day, period, or approximate period during which the breach occurred; (c) a description of the personal information that is the subject of the breach (if known); (d) a description of steps the entity has taken to reduce the risk of harm that could result from the breach; (e) a description of steps the affected individuals could take to reduce the risk of harm that could result from the breach; and (f) contact information that affected individuals could use to obtain additional information about the breach.
Notification to the Privacy Commissioner must include most of the above-mentioned items, as well as the number of individuals affected by the breach, the cause of the breach, steps the entity has taken to notify the affected individuals, and the point-of-contact who can respond to inquiries from the Privacy Commissioner about the breach.
What records need to be maintained?
Entities must maintain a record of every breach of security safeguards for 24 months from the day the entity determines that the breach occurred.
The entity’s record must contain any information that allows the Privacy Commissioner to confirm that the entity has complied with its obligations to notify the affected individuals and the Privacy Commissioner.
Entities that do business in Canada or have Canadian customers should pay special attention to PIPEDA’s new breach notification requirements and revise their protocols accordingly.
Because PIPEDA’s definition of “personal information” is broader than that of many U.S. data breach notification statutes, an entity may be required to provide notice under PIPEDA when they otherwise would not under U.S. law.
For more detailed information on data breach notification statutes and information security standards for Canada, the U.S., and Australia, visit Lewis Brisbois’ interactive Data Privacy & Information Security World Map.