The federal government has set November 1, 2018 as the date the mandatory breach reporting provisions of the Personal Information Protection and Electronic Documents Act ("PIPEDA") will come into effect.
The breach reporting obligation will apply to all federally regulated employers (including banks, telecommunication companies, airlines, and other interprovincial businesses) and private sector employers operating in the Yukon, Northwest Territories and Nunavut.
For provincially regulated employers, Alberta is currently the only province with mandatory private sector privacy breach reporting requirements. However, we also recommend that British Columbia-based private sector organizations report privacy breaches to the Office of the Information and Privacy Commissioner for British Columbia on a voluntary basis as a precautionary measure.
Both Alberta and the federal government have adopted the "real risk of significant harm" standard. Key elements of this test relate to the sensitivity of the personal information and the likelihood that it could be misused. Where a "real risk of significant harm" is posed by the leak or theft of personal information, employers must report the breach of privacy to the affected individuals, e.g. employees, as well as to the privacy commissioner.
Employers are also required to take steps to mitigate the harm to those individuals where possible. This may involve plugging the leak or requiring that erroneously distributed documents containing private information be deleted or destroyed. Employers are also required to notify third-parties that may be able to assist in the mitigation of harm where necessary.
Finally, employers should maintain a record of data breaches, whether or not they meet the "real risk of significant harm" standard as they may be reviewed by the privacy commissioner.
With thanks to articling student Jason Harmon for his assistance drafting this post.
For further information on the federal privacy breach reporting requirements and an in-depth review of the regulations, please review Mark Fancourt-Smith’s post, Mandatory Data Breach Notification Regime Announced Amid Facebook Scandal, on our Commercial Litigation and Dispute Resolution Blog.
Lawson Lundell's Labour and Employment Law Blog provides updates on the most recent legal developments impacting the Canadian workplace and offers practical tips for employers. We cover a range of topics, including labour relations, employment law, collective bargaining, human rights, employment standards, employment equity, workers' compensation, business immigration, privacy, occupational health and safety and pensions and employee benefits.