Canada's Privacy Breach Notification Requirements Coming into Force

Canada’s Privacy Breach Notification Requirements Coming into Force

The provisions of Canada’s Digital Privacy Act dealing with privacy breach notification and breach record keeping (the “Provisions”) will come into force on November 1, 2018.  Once in force, these Provisions will constitute a major change to Canada’s privacy law.  For unknown reasons, the federal government made this announcement without fanfare or even a government press release.

The Digital Privacy Act was enacted in 2015, but the Provisions remained in limbo, not having been brought into force with the balance of the statute. 

Summary of Provisions

In summary, the Provisions address several subjects:

Breach Notification

  • Each organization will be required to report to the Privacy Commissioner of Canada any breach of security safeguards involving personal information under its control, if it is reasonable in the circumstances to believe the breach creates a real risk of significant harm to an individual.
  • If this same test is met and unless otherwise prohibited by law, an organization will be required to notify an individual of any breach of security safeguards involving the individual’s personal information under the organization’s control.
  • If an individual must be given such notice, the organization will also have to notify any other organization or government of the breach if the notifying organization believes the other organization or government may be able to reduce the risk of harm that could result from the breach or mitigate that harm.
  • The form and content of such notices are to be prescribed in future regulations.
  • These notifications must be given as soon as feasible after the organization determines the breach has occurred. The Canadian statute does not name a specific timeline, unlike the new European privacy regulation due to come into effect in May 2018.

Breach Record Keeping

  • An organization will be required to keep and maintain a record of every breach of security safeguards involving personal information under its control, in accordance with regulations to be released in the future.  Importantly, a record of all such breaches of security safeguards involving personal information will have to be made, not only those where there is a real risk of significant harm to an individual.

Whistleblowing

  • Enhanced whistleblowing provisions will apply.