Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Data security and breach notification

Security obligations

Are there specific security obligations that must be complied with?

Canadian privacy laws are not particularly prescriptive with respect to data security obligations, instead imposing a general obligation to protect personal information by security safeguards appropriate to the sensitivity of the information in question. The methods of protection are to include physical, organisational and technological measures and should safeguard the personal information in question against loss or theft, as well as unauthorised access, disclosure, copying, use or modification. The adequacy of security measures implemented by an organisation is often assessed by privacy commissioners with respect to implementation of recognised third-party certification and standards, as well as perceptions of prevailing security practices within the relevant industrial sector.

Breach notification

Are data owners/processors required to notify individuals in the event of a breach?

Aside from the federal private sector privacy law and the health sector privacy laws mentioned below, Canadian privacy laws do not currently include provisions requiring mandatory breach notification to affected individuals.

Recent amendments to the federal private sector privacy law that will come into force as of 1 November 2018 require organisations to notify affected individuals with respect to any breaches of security safeguards that are likely to result in significant direct harm to such individuals.

While notification of individuals is not required under Alberta’s private sector law, as noted below, reporting data breach incidents to the information and privacy commissioner for Alberta is required, and the commissioner may, following such a report, order the organisation to notify affected individuals.

Health sector privacy laws in the provinces of New Brunswick, Ontario, and Newfoundland and Labrador require notification to individuals with respect to certain types of data breach.

In the federal public sector, a Treasury Board of Canada directive imposes a requirement for all federal government institutions to notify affected individuals with respect to certain breaches of personal information.

In provinces in which data breach notification is not a legal requirement, there is nevertheless a strong presumption by privacy commissioners that individuals will nevertheless be notified of material data breaches.

Are data owners/processors required to notify the regulator in the event of a breach?

As of 1 November 2018, breach notification provisions in the federal private sector privacy law will also require an organisation to report breaches of security safeguards to the Office of the Privacy Commissioner of Canada where such breaches are likely to result in significant direct harm to an individual. Alberta’s private sector law requires data breach reporting to the information and privacy commissioner for that province, based on a similar reporting threshold.

The health sector privacy laws in New Brunswick, Ontario, and Newfoundland and Labrador require reporting to the relevant privacy commissioners with respect to certain types of data breach.

Within the federal public sector, a Treasury Board of Canada directive imposes a requirement for all federal government institutions to report certain breaches of personal information to both the Treasury Board Secretariat and the Office of the Privacy Commissioner and to notify affected individuals.

Click here to view the full article.