A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. Local data protection regulations have required data controllers to report such breaches in certain circumstances. In Canada, breach notification requirements can vary by province and by those subject to the Federal Personal Information Protection and Electronic Documents Act (PIPEDA).
In Alberta, organizations are required to notify the Alberta Information and Privacy Commissioner of any incident involving loss, unauthorized access or disclosure of personal information where there is a real risk of significant harm to an individual as a result of the breach. Notice to the Information and Privacy Commissioner must be written and include:
Alberta’s Information and Privacy Commissioner has the authority to require the organization to notify individuals to whom there is a real risk of significant harm as a result of the loss, unauthorized access or disclosure. When required, the notice generally should be given directly to the impacted individuals and include:
British Columbia (BC) does not currently have a data breach notification law, but the BC Information and Privacy Commissioner suggests that notification may be appropriate in certain circumstances, upon an assessment by the organization of the severity of the breach.
Quebec doesn’t have a legal notification requirement, but the Quebec Commission d’accès à l’information (CAI) has issued guidelines on what businesses should do in the event of a security breach, and when they should notify individuals. The CAI also recommends that organizations complete a voluntary incident declaration form (available on the Quebec CAI website).
Effective November 1, 2018, organizations that are subject to the Federal Personal Information Protection and Electronic Documents Act (PIPEDA) must report any breach of security safeguards to the Privacy Commissioner if the breach involved personal information under the organization’s control and it is reasonable (given the circumstances) to believe that the breach creates a real risk of significant harm to an individual. The report must be written and provided to the Commissioner as soon as feasible. It should include:
Unless prohibited by law, employers shall notify an individual of any breach involving the individual’s personal information under the employer’s control if it is reasonable to believe that the breach creates a real risk of significant harm to the individual. The notice must be written and provided to the individual as soon as possible. The notice should include:
When determining whether a breach created a real risk of harm, employers should consider the sensitivity of the personal information involved and the probability the information has been or will be misused.
In the event the employer notifies individuals of a breach, the employer must also notify any organization, government institution or part of a government institution that it believes can reduce the risk of harm or mitigate harm.
Employers who are subject to PIPEDA must create and maintain a record of the breach for 24 months and allow the Office of the Privacy Commissioner to access those records upon request (note: this record must be completed even when there is no risk of harm to individuals.
