Canada privacy guide cover

Canadian organizations that have experienced a privacy breach, in most cases, will have a legal duty to notify the individuals affected by the breach, as well as relevant regulatory bodies.

To help you navigate this process effectively and better understand your unique obligations, this resource[1] offers a high-level overview of the specific breach notification requirements under PIPEDA, the Québec Act and PIPA AB.

Download our guide here


 

Notification process 

Notification process flow chart - breach occurs - breach discovery - reporting delay - reduce risk - notification to regulations and affected individuals

Notification requirements to privacy regulators: Requirements by jurisdiction

Information about the organization PIPEDA Québec Act PIPA AB
Name of the organization
Contact information of a person within the organization who can answer questions about the breach
Breach description      
Description of the circumstances of the breach
Description of the cause of the breach, if known
Date or period during which the breach occurred (or approximate if unknown)
Date on which the organization became aware of the incident*
Description of the personal information that is the subject of the breach if known*
*If unknown, the reasons why it is impossible to provide such description.    
Number of individuals affected by the breach (or approximate if unknown)
Number of individuals affected by the breach in Québec (or approximate if unknown)    
Number of individuals affected by the breach in Alberta (or approximate if unknown)    
Description of risk mitigation steps      
Assessment of the risk of harm to individuals    
Description of the elements that led the organization to conclude that there is a risk of serious injury to affected individuals    
Steps the organization has taken to reduce/mitigate the risk of harm to affected individuals
Steps the organization has taken or intends to take to notify affected individuals of the breach
Steps taken or planned, including those to prevent new incidents of the same nature (with timeline)  
Other      
Updates to be provided to the CAI as soon as possible when known by the organization    
Other organizations (e.g. regulators) informed about the incident (if applicable)

Notifying affected individuals: Requirements by jurisdiction

Direct Notice PIPEDA Québec Act PIPA AB
Notice must be given directly to the affected individuals, unless prescribed circumstances for indirect notices are otherwise legislatively provided
Breach description      
Description of the circumstances of the breach
Date or period during which the breach occurred (or approximate if unknown)
Description of the personal information that is the subject of the breach if known.*
*If unknown, the reasons why it is impossible to provide such description    
Description of risk mitigation steps      
Steps the organization has taken to reduce/mitigate the risk of harm to affected individuals
Steps affected individuals could take to reduce/mitigate the risk of harm  
Contact information of a person who can answer for the organization questions about the breach

Record-keeping obligations

Breach description PIPEDA Québec Act
Description of the circumstances of the breach
Date or period during which the breach occurred (or approximate if unknown)
Number of individuals impacted by the breach and the number of individuals residing in Québec (or approximate, if unknown)  
Description of the personal information that is the subject of the breach if known.*
*If unknown, the reasons why it is impossible to provide such description.  
Description of risk mitigation steps    
Description of the elements that led to conclude that there is a risk of serious injury to affected individuals  
Assessment of the risk of harm to individuals  
If the incident presents a risk of serious injury/real risk of significant harm, the dates of transmission of the notices to the privacy regulator and to the persons concerned. If indirect notification, the rationale justifying it
Steps the organization has taken to reduce the risk of harm to affected individuals  
Other    
Date on which the organization became aware of the incident  
Minimum duration for which the breach record is kept 2 years 5 years

Contact us

Our global cyber security and data protection team take a proactive approach to safeguarding your world. Let us help you stay one step ahead in this evolving landscape. Contact a member of our team to begin a conversation.


[1] Please note that this document does NOT touch on notification/reporting requirements under privacy public sector and health information laws.

[2] Although not addressed in this document, please note that other Canadian jurisdictions may "effectively" mandate notification, even if not statutorily required, because failure to notify the individual may be considered a contravention of other privacy requirements or against other rules or laws.

[3] It is worth noting that, in practice, Alberta's "real risk of significant harm" threshold has been set very low.