Canadian privacy breach notification requirements

27 January 2023

Articles

Contacts:

Antoine Guilmain, Wendy Wagner, Brent Arnold, Christopher Oates, Jasmine Samra, Kavivarman Sivasothy, Hunter Fox, Marc-Antoine Bigras, Michael Walsh, Caitlin Schropp

Canadian organizations that have experienced a privacy breach, in most cases, will have a legal duty to notify the individuals affected by the breach, as well as relevant regulatory bodies.

To help you navigate this process effectively and better understand your unique obligations, this resource^[1] offers a high-level overview of the specific breach notification requirements under PIPEDA, the Québec Act and PIPA AB.

Download our guide here

What you need to know

Federal privacy legislation is the Personal Information Protection and Electronic Documents Act ("PIPEDA")

What is a privacy breach?

A breach of security safeguards is the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization's security safeguards that are referred to in clause 4.7 of Schedule 1 of PIPEDA, or from a failure to establish those safeguards.

Who needs to notify whom?

The principal organization having control of the personal information must notify the affected individuals and the relevant privacy regulators.

Office of the Privacy Commissioner of Canada (the "OPC")

When is notification mandatory?

When it is reasonable, in the circumstances, to believe that the breach of security safeguards creates a real risk of significant harm to an individual. Factors that are relevant to determining whether a breach of security safeguards creates a real risk of significant harm include the sensitivity of the personal information involved in the breach of security safeguards and the probability the personal information has been/is/will be misused.

Québec's privacy legislation is the Act to modernize legislative provisions respecting the protection of personal information ("Québec Act")

What is a privacy breach?

A confidentiality incident is an unauthorized access, use or communication of personal information, loss of personal information, or other breach in the protection of such information.

Who needs to notify whom?

The principal organization having control of the personal information must notify the affected individuals and the relevant privacy regulators.

Commission d'accès à l'information du Québec (the "CAI")

When is notification mandatory?

When a confidentiality incident presents a risk of serious injury. Whether a particular incident presents a "risk of serious injury" depends on the sensitivity of the information, the anticipated consequences of its use, and the likelihood that the information will be used for injurious purposes.

Alberta's privacy legislation is the Personal Information Protection Act ("PIPA AB")²

What is a privacy breach?

Any incident involving the loss of or unauthorized access to or disclosure of personal information.

Who needs to notify whom?

The principal organization having control of the personal information must notify the affected individuals and the relevant privacy regulators.

Office of the Information and Privacy Commissioner (the "OIPC")

When is notification mandatory?

When a reasonable person would consider, after any incident involving the loss of or unauthorized access to or disclosure of the personal information, that there exists a real risk of significant harm³ to an individual as a result of the loss or unauthorized access or disclosure

Notification process

Notification process flow chart - breach occurs - breach discovery - reporting delay - reduce risk - notification to regulations and affected individuals

Notification requirements to privacy regulators: Requirements by jurisdiction

Information about the organization	PIPEDA	*Québec Act*	PIPA AB
Name of the organization	●	●	●
Contact information of a person within the organization who can answer questions about the breach	●	●	●
Breach description
Description of the circumstances of the breach	●	●	●
Description of the cause of the breach, if known	●	●	●
Date or period during which the breach occurred (or approximate if unknown)	●	●	●
Date on which the organization became aware of the incident*	●	●	●
Description of the personal information that is the subject of the breach if known*	●	●	●
*If unknown, the reasons why it is impossible to provide such description.		●
Number of individuals affected by the breach (or approximate if unknown)	●	●	●
Number of individuals affected by the breach in Québec (or approximate if unknown)		●
Number of individuals affected by the breach in Alberta (or approximate if unknown)			●
Description of risk mitigation steps
Assessment of the risk of harm to individuals			●
Description of the elements that led the organization to conclude that there is a risk of serious injury to affected individuals		●
Steps the organization has taken to reduce/mitigate the risk of harm to affected individuals	●	●	●
Steps the organization has taken or intends to take to notify affected individuals of the breach	●	●	●
Steps taken or planned, including those to prevent new incidents of the same nature (with timeline)		●	●
Other
Updates to be provided to the CAI as soon as possible when known by the organization		●
Other organizations (e.g. regulators) informed about the incident (if applicable)	●	●	●

Notifying affected individuals: Requirements by jurisdiction

Direct Notice	PIPEDA	*Québec Act*	PIPA AB
Notice must be given directly to the affected individuals, unless prescribed circumstances for indirect notices are otherwise legislatively provided	●	●	●
Breach description
Description of the circumstances of the breach	●	●	●
Date or period during which the breach occurred (or approximate if unknown)	●	●	●
Description of the personal information that is the subject of the breach if known.*	●	●	●
*If unknown, the reasons why it is impossible to provide such description		●
Description of risk mitigation steps
Steps the organization has taken to reduce/mitigate the risk of harm to affected individuals	●	●	●
Steps affected individuals could take to reduce/mitigate the risk of harm	●	●
Contact information of a person who can answer for the organization questions about the breach	●	●	●

Record-keeping obligations

Breach description	PIPEDA	Québec Act
Description of the circumstances of the breach	●	●
Date or period during which the breach occurred (or approximate if unknown)	●	●
Number of individuals impacted by the breach and the number of individuals residing in Québec (or approximate, if unknown)		●
Description of the personal information that is the subject of the breach if known.*	●	●
*If unknown, the reasons why it is impossible to provide such description.		●
Description of risk mitigation steps
Description of the elements that led to conclude that there is a risk of serious injury to affected individuals		●
Assessment of the risk of harm to individuals	●
If the incident presents a risk of serious injury/real risk of significant harm, the dates of transmission of the notices to the privacy regulator and to the persons concerned. If indirect notification, the rationale justifying it	●	●
Steps the organization has taken to reduce the risk of harm to affected individuals		●
Other
Date on which the organization became aware of the incident		●
Minimum duration for which the breach record is kept	2 years	5 years

Contact us

Our global cyber security and data protection team take a proactive approach to safeguarding your world. Let us help you stay one step ahead in this evolving landscape. Contact a member of our team to begin a conversation.

[1] Please note that this document does NOT touch on notification/reporting requirements under privacy public sector and health information laws.

[2] Although not addressed in this document, please note that other Canadian jurisdictions may "effectively" mandate notification, even if not statutorily required, because failure to notify the individual may be considered a contravention of other privacy requirements or against other rules or laws.

[3] It is worth noting that, in practice, Alberta's "real risk of significant harm" threshold has been set very low.

NOT LEGAL ADVICE. Information made available on this website in any form is for information purposes only. It is not, and should not be taken as, legal advice. You should not rely on, or take or fail to take any action based upon this information. Never disregard professional legal advice or delay in seeking legal advice because of something you have read on this website. Gowling WLG professionals will be pleased to discuss resolutions to specific legal concerns you may have.

Related Tech, Cyber Security & Data Protection Law, Canadian privacy laws: New rules for a new era