Obligations under the data breach notification law

Stay compliant with Canada's data breach notification law. Learn key legal obligations, timelines, and best practices every data processor understands
Obligations under the data breach notification law

Are you always worried about handling personal information? With most information currently stored electronically, the risk of data breaches is very real. Even governments aren’t safe with the 2020 Canada Revenue Agency data breach. This required the immediate operation of the data breach notification law.  

While no one prays for another data breach, it helps to know that there are laws in place to guide organizations. Among others, the data breach notification law requires organizations to report their data breaches to affected individuals. Here’s what you should know about handling personal information under the data breach notification law. 

What laws govern data breach in Canada? 

Data breach notification law is governed by the Personal Information and Electronic Documents Act (PIPEDA). This federal law regulates the handling of personal information during commercial transactions. This includes the collection, use, and disclosure of personal data. By extension, this also includes the storage of information while in use. 

Recent Articles

Contesting a will in Ontario: What are the changes to watch out for?
How to avoid probate on a house in Ontario
GoTo's Lauren Phizicky drives innovation as senior counsel, product and privacy

What constitutes data breach in Canada? 

In simple terms, a data breach happens when there's disclosure of personal information to unauthorized third parties. A common scenario is during a cyberattack when a group breaches security policies to steal personal information. However, it can also happen if an unauthorized member of an organization accesses or discloses personal information. 

When PIPEDA says personal information, it refers to: 

  • name, age, marital status, nationality, race, ethnic origin 
  • income and financial information 
  • employment history, employee files, ID number 
  • medical history, blood type, DNA 
  • educational history 
  • Social Insurance Number 
  • driver’s licence 
  • opinions and evaluations 
  • credit records 
  • loan records 

The unauthorized disclosure of any of this information will trigger data breach notification law. 

Affected entities 

Compliance with PIPEDA is required on any commercial activities of organizations. Strictly speaking, non-profit organizations that do not engage in commercial activities are exempt. However, compliance is required if the non-profit participates in selling, bartering or leasing of donor, membership, or other fundraising lists. 

Data breach notification law of provinces and territories 

Certain provinces and territories follow their specific data breach notification law. This includes: 

  • Alberta’s Personal Information Protection Act (PIPA Alberta) 
  • British Columbia Personal Information Protection Act (PIPA BC) 
  • Act Respecting the Protection of Personal Information in the Private Sector 

Organizations operating under these provinces or territories do not fall under PIPEDA. They must follow their own provincial/territorial laws.  

The healthcare sector in these provinces also follow special laws for data protection: 

  • Ontario 
  • Nova Scotia 
  • New Brunswick 
  • Newfoundland and Labrador 

These overlapping jurisdictions can cause problems in cases filed based on the data breach notification law. There’s often a need for excellent lawyers who can consolidate different provincial laws. 

What about cross-border organizations handling personal information in commercial activities? For these organizations, PIPEDA applies. However, it’s best to consult cross-border lawyers for these instances, especially if the data owner is a resident of another country. 

Principles under the data breach notification law 

Data breach notification law does not have specifics on how to approach security measures. It does have general guidelines that organizations are expected to follow. Here’s a brief overview of these principles: 

Accountability 

Organizations are responsible for personal information they collect and control. Even if the information is processed by a third party, the organization is responsible for any breach. It’s necessary to enter into a contract with the third-party processor to ensure that they also comply with PIPEDA.  

The law also requires the designation of a person who shall be primarily responsible for compliance with PIPEDA. This person maintains responsibility even if other individuals are responsible for daily collection or processing of data. 

Identification of purpose 

Organizations will identify the purpose of collecting personal information. The data owner must be informed of the purpose at the time of collection. The purpose of collection will determine and justify what information is being asked. For example, the collection of a credit card company doesn’t really necessitate information on ethnic origin. 

Consent 

The data owner must consent to the collection or disclosure of their data. This consent is limited to the purpose of the collection. So, if the data is used for any other purpose, separate consent must be given. PIPEDA requires meaningful consent. This means that the data owner must understand how the information will be used or disclosed. 

Consent can be given in various ways: 

  • an application 
  • a checkoff box 
  • over the phone 
  • at the time of product or service use 

Consent may also be withdrawn, except if a contract or law prohibits it. 

Limiting collection 

The data collected must be limited to the purpose of the collection. This relates to the principle of identification of purpose. Under PIPEDA, the collection must be for “fair and lawful means” which is intended to prevent collection through misleading or deceiving methods. 

Here’s a brief overview about limiting collection as a principle of PIPEDA Canada: 

Limiting use, disclosure, and retention 

The purpose of collection is critical because it guides all other activities related to the data. The use and disclosure of the information should always be for the actual purpose of its collection.  The data must also be kept by the organization only as long as it serves the purpose. Otherwise, they are in violation of PIPEDA. 

But how long should they keep the information? PIPEDA doesn’t specify that. Instead, organizations are required to make their own guidelines and procedures for storage. They must be prepared to justify this decision in the event of a complaint. 

Accuracy 

Personal information should be accurate and up to date. The extent of accuracy and freshness of the information depends on how that information is used. For information disclosed to third parties or consistently used, accuracy and freshness are critical. 

A classic example would be credit information affecting a person’s credit score. Delayed updates on a person’s payment could impact credit scores. This could then decrease their borrowing power, especially for big purchases like a house loan or a car loan. Organizations concerned with these transactions must be accurate with their reports. 

Safeguards 

All organizations must establish security safeguards for protection of personal information. The extent of these safeguards depends on the sensitivity of the information. PIPEDA even includes possible methods of protection which can be: 

  • physical security such as locked filing cabinets or restricted access 
  • organizational security efforts like having security clearances or specifying access only to certain individuals 
  • use of encryption or passwords for data available through tech 

Data breach notification law also requires informing employees of the importance of handling personal information. 

 

a combination padlock sits on top of a laptop keyboard, symbolic of the need to protect personal data

Openness 

Organizations are required to be open about policies and practices related to personal information. If people want to find out about these policies, then the information should be readily available. The information should also include the name of the person designated under the data breach notification law. 

Other information displayed should be: 

  • how to request or get access to personal information 
  • kinds of personal information held by the organization and how it is used 
  • brochures or other material that explains the policies of the organization 
  • what personal information can be accessed by other organizations like subsidiaries or partners 

Individual access 

Data owners, upon request and proof, should be able to access their own information. They should also be informed of its use and disclosure if they ask to find out. If they find any inaccuracies, they can challenge this information and have it corrected upon proof.  

The right to access isn’t always available. There are some exceptions. In this case, the organization is duty bound to tell the data owner why access is denied. 

Challenging compliance 

Finally, the last principle under the data breach notification law lets the data owner challenge organizations.  

People can file complaints with the organization if it doesn’t comply with PIPEDA or any of these principles. A complaint may be filed with the organization first so that they can investigate and address these matters at their level. 

The role of a data privacy breach lawyer is to make sure all these principles are followed by an organization. 

What to do in case of a data breach  

Data breach of personal information is taken seriously by the Canadian government. Under PIPEDA, the organization where the breach occurred must notify the persons whose information was leaked. 

The reaction after a data breach is therefore twofold. There’s the acts of the organization and the acts of the data owner. 

Obligation of the organization 

Data breach notification law requires that the organization inform data owners of the data breach right away. However, not all data breaches should be reported. Instead, the organization must determine if it is reasonable to believe that there is a real risk of significant harm (RROSH) to the person. 

Significant harm can mean: 

  • physical harm 
  • damage to reputation 
  • humiliation 
  • damage to relationships 
  • loss of employment 
  • financial loss 
  • identity theft 
  • damage to property, and more 

To decide if the data breach can cause significant harm, the following factors are considered: 

  • sensitivity of personal information 
  • probability of misuse of personal information 
  • others 

The decision to notify data owners is therefore discretionary. If your organization does not see a reasonable risk of significant harm, then following the data breach notification law may not be necessary. But what if it is necessary? When should you notify people? 

The data breach notification law does not set a limit. Instead, it says that your organization must inform the data owner as soon as feasible from the moment of discovery. Notify them in a clear, direct way. The notification should also include information that lets the data owner understand the significance of the breach and minimize harm. 

Indirect notification is also possible. However, this is only allowed if: 

  • direct notification will harm the affected individual 
  • it will cause undue hardship 
  • you don’t have the contact information for the affected individuals 

Other than the data owner, the organizations must also inform the Office of the Data Commissioner (OPC) using their prescribed form.  

Content of the data breach notification 

Under the data breach notification law, the alert should contain the following: 

  • circumstances of the data breach  
  • day or the approximate period of the data breach  
  • personal information affected by the data breach  
  • steps that the organization or business took, and the individuals can take, to reduce the risk of harm resulting from the data breach  
  • contact information that the affected individual can use for further information about the data breach 

After compliance with data breach notification law 

Once the data owner finds out about the data breach, they can take some steps to protect themselves. This can include changing passwords or setting up two-factor authentication. They can also freeze their credit and report any unauthorized transactions to the bank. 

Here are some of the tips that organizations can include in their notification to help data owners protect themselves after a breach: 

Can you sue for data breach in Canada? 

Yes. Violation of the data breach notification law lets any person file a complaint against the organization that committed the violation.  

There are two approaches to data breach complaints. First is a complaint against the organization for failure to notify. The second is a complaint because the organization did not follow the principles. 

Complaints for violation of the data breach notification law are filed before the Office of the Privacy Commissioner (OPC). The Commissioner then decides if it will investigate based on the available evidence. If the commissioner investigates, they will make a report and give it to the complainant. 

So, what can the complainant do after the report? They can file it before the federal court for a decision. Even if the OPC does not issue penalties for violations under the data breach notification law, the courts can. 

Protect your information from data breaches 

The demand for data breach notification law is to protect data owners. However, security problems can also place organizations in very poor light, not to mention subject them to staggering penalties. Going above and beyond with data privacy is therefore the better course of action for organizations. 

For added security in your operations, check out our directory of Lexpert-ranked best law firms for data protection and privacy in Canada. This page lets you find specific firms based on jurisdiction, especially if you are operating in areas like Alberta with its own privacy laws.