Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Data security and breach notification

Security obligations

Are there specific security obligations that must be complied with?

Canadian privacy laws are not particularly prescriptive with respect to data security obligations, instead imposing a general obligation to protect personal information by security safeguards appropriate to the sensitivity of the information in question. The methods of protection are to include physical, organisational and technological measures and should safeguard the personal information in question against loss or theft, as well as unauthorised access, disclosure, copying, use or modification. The adequacy of security measures implemented by an organisation is often assessed by privacy commissioners with respect to implementation of recognised third-party certification and standards, as well as perceptions of prevailing security practices within the relevant industrial sector.

Breach notification

Are data owners/processors required to notify individuals in the event of a breach?

Aside from the health sector privacy laws mentioned below, Canadian privacy laws do not currently include provisions requiring mandatory breach notification to affected individuals.

Once proclaimed in force, amendments to the federal private sector privacy law will require organisations to report certain breaches to the Office of the Privacy Commissioner of Canada.

Health sector privacy laws in the provinces of New Brunswick, Ontario and Newfoundland and Labrador require notification to individuals with respect to certain types of data breach.

In the federal public sector, a Treasury Board of Canada directive imposes a requirement for all federal government institutions to notify affected individuals with respect to certain breaches of personal information.

In provinces in which data breach notification is not a legal requirement, there is nevertheless a strong presumption by privacy commissioners that individuals will nevertheless be notified of material data breaches.

Are data owners/processors required to notify the regulator in the event of a breach?

In the federal private sector privacy law, once proclaimed in force, breach notification provisions will also require an organisation to report certain data breaches to the Office of the Privacy Commissioner of Canada. Alberta’s private sector law requires data breach reporting to the information and privacy commissioner for that province.

The health sector privacy laws in New Brunswick, Ontario, and Newfoundland and Labrador require reporting to the relevant privacy commissioners with respect to certain types of data breach.

Within the federal public sector, a Treasury Board of Canada directive imposes a requirement for all federal government institutions to report certain breaches of personal information to both the Treasury Board Secretariat and the Office of the Privacy Commissioner and to notify affected individuals.

Click here to view the full article.