continued on page 33
Data breach notification requirements went into effect across Canada on November 1. The
requirement is a result of language in the Digital Privacy Act of 2015 (Bill S- 4) amending the country’s
Personal Information Protection and Electronic Document Act (PIPEDA). The amendment also
expands the enforcement powers of the Canadian Privacy Commissioner.
“We know from experience that breach notification requirements significantly raises the stakes,”
said NAID-Canada chair Tino Fluckiger. “NAID members have a great opportunity to educate their
customers and grow their businesses.”
In September, NAID held workshops in Calgary and Toronto to advise members on their new
marketing leverage due to this change.
“Clients are often unaware of new data protection requirements,” said i-SIGMA CEO Bob Johnson.
“Providing them information on it is not only a responsibility as a data protection professional, but it
is also great for business.”
According to Johnson, it is unknown whether weaker provincial breach notification will survive the
new national law. “The new national law is stronger than the breach notification in Alberta, and
the limited health breach notification in Ontario. Because the federal supersedes weaker provincial
requirements, we assume they will go away or, more likely, be improved. Most provinces had no
breach notification prior to November 1, and so there is no question regarding its jurisdiction.”
Under the law, service providers are required to notify the data controller in the event of any incident
potentially exposing Personally Identifiable Information (PII). This requirement should be included in
all policies and procedures and employee training. The discovery of an unreported breach often leads
to severe fines. Contract language should also be changed to reflect this requirement.
From the Office of the Privacy Commissioner of Canada1:
What You Need to Know About Mandatory Reporting of Breaches of Security Safeguards
Under the new regulations for organizations subject to the Personal Information Protection and
Electronic Documents Act organizations must:
• Report to the Privacy Commissioner’s office any breach of security safeguards involving
personal information where it creates a “real risk of significant harm;”
• Notify individuals affected by a breach of security safeguards where there is a real risk of
• Keep records of all breaches of security safeguards that affect the personal information under
their control; and
• Keep those records for two years.
There could be financial penalties for non-compliance from the Attorney General of Canada.