Antoine Guilmain
Partner
Co-leader, National Cybersecurity & Data Protection Group
Article
Published27 January 2023
Canadian privacy breach notification: Compliance guide
13
minute read
Canadian organizations that have experienced a privacy breach, in most cases, will have a legal duty to notify the individuals affected by the breach, as well as relevant regulatory bodies.
To help you navigate this process effectively and better understand your unique obligations, this resource[1] offers a high-level overview of the specific breach notification requirements under PIPEDA, the Québec Act and PIPA AB.
Download our guide here
Notification process
Notification requirements to privacy regulators: Requirements by jurisdiction
| Information about the organization | PIPEDA | Québec Act | PIPA AB |
|---|---|---|---|
| Name of the organization | ● | ● | ● |
| Contact information of a person within the organization who can answer questions about the breach | ● | ● | ● |
| Breach description | |||
| Description of the circumstances of the breach | ● | ● | ● |
| Description of the cause of the breach, if known | ● | ● | ● |
| Date or period during which the breach occurred (or approximate if unknown) | ● | ● | ● |
| Date on which the organization became aware of the incident* | ● | ● | ● |
| Description of the personal information that is the subject of the breach if known* | ● | ● | ● |
| *If unknown, the reasons why it is impossible to provide such description. | ● | ||
| Number of individuals affected by the breach (or approximate if unknown) | ● | ● | ● |
| Number of individuals affected by the breach in Québec (or approximate if unknown) | ● | ||
| Number of individuals affected by the breach in Alberta (or approximate if unknown) | ● | ||
| Description of risk mitigation steps | |||
| Assessment of the risk of harm to individuals | ● | ||
| Description of the elements that led the organization to conclude that there is a risk of serious injury to affected individuals | ● | ||
| Steps the organization has taken to reduce/mitigate the risk of harm to affected individuals | ● | ● | ● |
| Steps the organization has taken or intends to take to notify affected individuals of the breach | ● | ● | ● |
| Steps taken or planned, including those to prevent new incidents of the same nature (with timeline) | ● | ● | |
| Other | |||
| Updates to be provided to the CAI as soon as possible when known by the organization | ● | ||
| Other organizations (e.g. regulators) informed about the incident (if applicable) | ● | ● | ● |
Notifying affected individuals: Requirements by jurisdiction
| Direct Notice | PIPEDA | Québec Act | PIPA AB |
|---|---|---|---|
| Notice must be given directly to the affected individuals, unless prescribed circumstances for indirect notices are otherwise legislatively provided | ● | ● | ● |
| Breach description | |||
| Description of the circumstances of the breach | ● | ● | ● |
| Date or period during which the breach occurred (or approximate if unknown) | ● | ● | ● |
| Description of the personal information that is the subject of the breach if known.* | ● | ● | ● |
| *If unknown, the reasons why it is impossible to provide such description | ● | ||
| Description of risk mitigation steps | |||
| Steps the organization has taken to reduce/mitigate the risk of harm to affected individuals | ● | ● | ● |
| Steps affected individuals could take to reduce/mitigate the risk of harm | ● | ● | |
| Contact information of a person who can answer for the organization questions about the breach | ● | ● | ● |
Record-keeping obligations
| Breach description | PIPEDA | Québec Act |
|---|---|---|
| Description of the circumstances of the breach | ● | ● |
| Date or period during which the breach occurred (or approximate if unknown) | ● | ● |
| Number of individuals impacted by the breach and the number of individuals residing in Québec (or approximate, if unknown) | ● | |
| Description of the personal information that is the subject of the breach if known.* | ● | ● |
| *If unknown, the reasons why it is impossible to provide such description. | ● | |
| Description of risk mitigation steps | ||
| Description of the elements that led to conclude that there is a risk of serious injury to affected individuals | ● | |
| Assessment of the risk of harm to individuals | ● | |
| If the incident presents a risk of serious injury/real risk of significant harm, the dates of transmission of the notices to the privacy regulator and to the persons concerned. If indirect notification, the rationale justifying it | ● | ● |
| Steps the organization has taken to reduce the risk of harm to affected individuals | ● | |
| Other | ||
| Date on which the organization became aware of the incident | ● | |
| Minimum duration for which the breach record is kept | 2 years | 5 years |
Contact us
Our global cyber security and data protection team take a proactive approach to safeguarding your world. Let us help you stay one step ahead in this evolving landscape. Contact a member of our team to begin a conversation.
[1] Please note that this document does NOT touch on notification/reporting requirements under privacy public sector and health information laws.
[2] Although not addressed in this document, please note that other Canadian jurisdictions may "effectively" mandate notification, even if not statutorily required, because failure to notify the individual may be considered a contravention of other privacy requirements or against other rules or laws.
[3] It is worth noting that, in practice, Alberta's "real risk of significant harm" threshold has been set very low.
What you need to know
Federal privacy legislation
Federal privacy legislation is the Personal Information Protection and Electronic Documents Act ("PIPEDA")
What is a privacy breach?
A breach of security safeguards is the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization's security safeguards that are referred to in clause 4.7 of Schedule 1 of PIPEDA, or from a failure to establish those safeguards.
Who needs to notify whom?
The principal organization having control of the personal information must notify the affected individuals and the relevant privacy regulators.
Office of the Privacy Commissioner of Canada (the "OPC")
When is notification mandatory?
When it is reasonable, in the circumstances, to believe that the breach of security safeguards creates a real risk of significant harm to an individual. Factors that are relevant to determining whether a breach of security safeguards creates a real risk of significant harm include the sensitivity of the personal information involved in the breach of security safeguards and the probability the personal information has been/is/will be misused.
Québec's privacy legislation
Alberta's privacy legislation
NOT LEGAL ADVICE. Information made available on this website in any form is for information purposes only. It is not, and should not be taken as, legal advice. You should not rely on, or take or fail to take any action based upon this information. Never disregard professional legal advice or delay in seeking legal advice because of something you have read on this website. Gowling WLG professionals will be pleased to discuss resolutions to specific legal concerns you may have.
