Employee Data Privacy

Canada - Breach Notification

 Download as a PDF

Are there any data breach notification requirements? 


A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. Local data protection regulations have required data controllers to report such breaches in certain circumstances.


In Alberta, organizations are required to notify the Alberta Information and Privacy Commissioner of any data breach where there is a real risk of significant harm to an individual as a result of the breach. The BC Information and Privacy Commissioner suggests that notification may be appropriate in certain circumstances, upon an assessment by the organization of the severity of the breach.


Effective November 1, 2018, whenever there is a breach of security safeguards organizations in Canada must create and maintain a record of the breach for 24 months and allow the Office of the Privacy Commissioner to access those records upon request (note: this record must be completed even when there is no risk of harm to individuals). In addition, when a data breach creates a real risk of significant harm to impacted individuals, employers must:


Led by PeopleDoc’s Chief Legal & Compliance Officer, the HR Compliance Assist team relies on a network of internal and external compliance experts and lawyers, including the global law firm Morgan Lewis, to provide clients with best practices and recommendations on topics such as HR document retention, employee data privacy, and HR electronic records. HR Compliance Assist also provides local compliance monitoring and alert services in select countries where PeopleDoc’s customers have employees. HR Compliance Assist is a service exclusively available to PeopleDoc customers.

Share Your Feedback

Let's Talk