Canadian Private Sector Data Breach Laws and Guidance
Private Sector Laws (non-health sector) | Personal Information Protection and Electronic Documents Act | Alberta Personal Information Protection Act |
Applies to | Organizations that have control of personal information collected, used and/or disclosed in the course of a commercial activity Federal works, undertakings or businesses that have control of personal information collected, used and/or disclose with respect to an applicant for employment or an employee | All organizations that have control of personal information (including employee information) collected, used and/or disclosed in Alberta whether for profit or not-for profit. |
Extraterritorial effect | ✔ Judicially settled. | Unclear. Alberta Commissioner takes the position it does. |
Personal Information | Any information about an identifiable individual | Any information about an identifiable individual |
Breach includes | Loss, unauthorized access, unauthorized disclosure as a result of breach of security safeguards or failure to implement security safeguards | Loss, unauthorized access or unauthorized disclosure |
Good faith acquisition exempted | ✖ However, circumstances will be relevant to risk of harm analysis | ✖ However, circumstances will be relevant to risk of harm analysis |
Safe harbour for encryption | ✖ However, circumstances will be relevant to risk of harm analysis | ✖ However, circumstances will be relevant to risk of harm analysis |
Harms-based test for reporting (real risk of significant harm) | ✔ | ✔ |
Harms include more than financial harm | ✔ | ✔ |
Obligation to report to the Privacy Commissioner | ✔ | ✔ |
Obligation to notify individuals notification required | ✔ | ✔ |
Obligation to notify police | ✔ If it would assist in mitigating risk of harm | ✖ |
Resources published by regulators
Office of the Privacy Commissioner of Canada Resources
Alberta Information and Privacy Commissioner Resources
Security Breaches and PIPEDA – Answers to Questions You Asked
I was asked many questions by a very engaged audience prior to, during and after a 2018 LexisNexis Canada webinar on the new breach of security safeguards provisions of the Personal Information Protection and Electronic Documents Act (PIPEDA). For the benefit of all, I’ve tackled those questions here.
Check back from time-to-time because I will update them with other interesting questions that I get asked. Also, don’t forget to check out the recorded version of the webinar.