Canada: New Obligations Coming into Effect for Employers Affected by Data Breaches

Effective November 1, 2018, the Personal Information Protection and Electronic Documents Act (“PIPEDA”) will require organizations to report any breach of security safeguards to the Privacy Commissioner if the breach creates a real risk of significant harm to an individual’s privacy. The affected individuals will also have to be notified about the breach.

These obligations arise from amendments to PIPEDA under the Digital Privacy Act and the Breach of Security Safeguards Regulations. The Office of the Privacy Commissioner has also published a comprehensive guidance document containing an overview of the legislative changes and practices for complying with the changes.

To whom do the new PIPEDA obligations apply?

PIPEDA is federal legislation that restricts the collection and use of personal information in the private sector. Organizations that collect, use, or disclose personal information in connection with the operation of a federal work, undertaking, or business must comply with PIPEDA’s requirements. In terms of provincially-regulated employers, PIPEDA applies to organizations that collect, use, or disclose personal information in the course of commercial activities. Notably, employment activities are generally not considered to be “commercial activities” under PIPEDA.

The reporting obligations will apply to both large and small businesses in Canada whose activities fall under the scope of PIPEDA. If an organization is found in violation of PIPEDA’s new reporting obligations, it could be charged with an offence and be issued a fine up to $100,000.

In what circumstances will the reporting obligations be triggered?

For the purposes of the new PIPEDA reporting obligations, a “breach of security safeguards” will arise where personal information is either lost or accessed by an unauthorized individual, and the access or disclosure results from the violation of an organization’s security safeguards. An organization will be required to report any such breach if the breach involved personal information within the organization’s control or custody.

A more holistic analysis is used to determine whether a data breach creates a real risk of significant harm. “Significant harm” is defined broadly and includes: bodily harm; humiliation; damage to reputation or relationships; loss of employment, business, or professional opportunities; financial loss; identity theft; negative effects on the individual’s credit record; and damage to or loss of property. To determine whether an individual will be at a real risk of significant harm, the Privacy Commissioner will assess the sensitivity of the personal information involved in the breach and the probability that the personal information has been, is being, or will be misused.

How should data breaches be reported and recorded?

The Office of the Privacy Commissioner has created a PIPEDA Breach Report Form for use by private sector organizations reporting data breaches. The Report Form requires an organization to provide a description of the data breach (including the number of individual affected, when the breach occurred, and the cause of the breach), the relevant security safeguards in place at the time of the breach, and the steps taken to mitigate harm to individuals resulting from the breach. The Report Form must be submitted to the Privacy Commissioner as soon as feasible after the discovery of a data breach, although information within the Report Form can be updated or corrected as needed.

Affected individuals must also be notified about the breach of their personal information. Such notification must be conspicuous and provided as soon as feasible after the breach has been discovered. In most circumstances, notice of a data breach must be communicated directly to the affected individual via telephone, mail, email, or in-person communication. However, PIPEDA permits indirect notification in circumstances where direct notification would likely cause further harm to the affected individual or undue hardship to the organization, or where the organization does not have contact information for the affected individual.

When an organization notifies an affected individual about a data breach, it must also notify any other government institutions or organizations that it believes can reduce the risk of harm resulting from the breach.

PIPEDA will also require an organization to maintain records of all data breaches occurring to personal information under its control, regardless of whether the breach poses a real risk of significant harm. These records must be kept for at least 24 months after the breach.

As the coming-into-force date for these reporting obligations approaches, Canadian employers should review their security systems to ensure adequate protection of personal data. Employers should also update their workplace policies to accord with the new PIPEDA requirements.