Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Data security and breach notification

Security obligations
Are there specific security obligations that must be complied with?

Under the Personal Information Protection and Electronic Documents Act (SC 2000, c 5) (PIPEDA), organisations must implement safeguards that are appropriate to the sensitivity of the personal data. Safeguards should include physical, technical and administrative controls to prevent loss or unauthorised access to or modification or disclosure of personal data. Some regulatory and self-regulatory bodies have published additional guidance, particularly with respect to cybersecurity. For example, the Office of the Superintendent of Financial Institutions and the Investment Industry Regulatory Organisation have published cybersecurity guidance. It is possible that the federal government may, in the future, enact legislation mandating security measures for critical infrastructure.

Breach notification
Are data owners/processors required to notify individuals in the event of a breach?

Parliament recently enacted the Digital Privacy Act, which amends PIPEDA to introduce mandatory data breach notification requirements. These provisions are not yet in force. When these provisions come into force, organisations that are subject to PIPEDA will be required to notify individuals if there is a real risk of significant harm as a result of a breach of an organisation’s safeguards.

‘Significant harm’ includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on credit records and damage to or loss of property. In determining whether the risk threshold is met, the organisation must consider:

  • the sensitivity of the personal data that has been exposed;
  • the probability that the personal data has been, is being or will be misused; and
  • any other factors that the government prescribes.

As mentioned previously, these data breach provisions are not yet in force. They are expected to come into force no earlier than the end of 2016.

Data controllers subject to Alberta’s Personal Information Protection Act must notify individuals of a breach if the Office of the Information and Privacy Commissioner of Alberta orders notification. The commissioner must make a notification order if, in the opinion of the commissioner, there is a real risk of significant harm as a result of the personal data security breach. The commissioner considers similar factors as enumerated under the Digital Privacy Act.

Provincial personal health information protection legislation generally requires notification of the loss of or unauthorised access to personal health information. Public sector legislation does not generally require notification of breaches. Newfoundland is a notable exception.

Are data owners/processors required to notify the regulator in the event of a breach?

Under the amendments to PIPEDA contained in the Digital Privacy Act, organisations will be required to notify the Office of the Privacy Commissioner of Canada (OPC) if there is a breach of safeguards that may result in a real risk of significant harm to an individual. In addition, organisations will be required to log all breaches of safeguards and to produce those logs to the OPC on request. The government is consulting on the content of the mandatory reports and data breach logs. These provisions are not expected to come into force until the end of 2016 at the earliest.

Organisations subject to Alberta’s Personal Information Protection Act must notify the Office of the Information and Privacy Commissioner of Alberta of personal data security breaches. Similar obligations will be required in the near future on a national level under PIPEDA, requiring notification to the OPC.

Click here to view the full article.