Ensuring the safety and security of Canadians’ personal information

New requirements for businesses to report data breaches

November 1, 2018 – Ottawa, Ontario

The Government of Canada is ensuring that Canada has strong privacy laws that safeguard Canadians’ personal information while also supporting innovation.

Today, new requirements under commercial privacy law come into force. These requirements detail how businesses will alert individuals if their personal information is lost or stolen and impose new financial penalties if this isn’t done.  These new reporting requirements and penalties will lead to more careful protection of Canadians’ personal information and empower Canadians to protect themselves and their information.

Under the new requirements, organizations that experience a breach of data security safeguards involving personal information must do the following:

• determine if the breach poses a real risk of significant harm to any individual whose personal information was involved in the breach;
• notify affected individuals as soon as feasible of any breach that poses a real risk of significant harm;
• report any data breach poses a real risk of significant harm to the Privacy Commissioner of Canada as soon as possible;
• where appropriate, notify any third party that the organization experiencing the breach believes is in a position to mitigate the risk of harm; and
• maintain a record of any data breach it becomes aware of and provide it to the Privacy Commissioner of Canada upon request.

The financial penalties a company must pay if it fails to report include potential fines of up to $100,000 for companies that knowingly fail to notify individuals or report a breach to the Office of the Privacy Commissioner of Canada.

The regulations are implemented under the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s private-sector privacy law. The Act sets out the ground rules for how businesses collect, use or disclose personal information in the course of commercial activities.

Guidance material published by the Office of the Privacy Commissioner of Canada provides more details for businesses on how they should comply with their new obligations.

The collection, retention, use and disclosure of personal information by government institutions are governed by the Privacy Act. Federal institutions are already required to report material privacy breaches to the Office of the Privacy Commissioner and to Treasury Board Secretariat.