skip to main content
Back to all blog posts

Posted in: Data Protection | Privacy | Data Security/Privacy

Apr 13, 2018

New Notification Requirements for Data Breaches

By Stephen Crawford

As of November 1, 2018, if your organization suffers a data breach, new reporting requirements will be in place that may require you to notify consumers and the Privacy Commissioner of the breach – or else face a fine of up to $100,000.

Further to an Order-in-Council published in late March, certain sections of the Digital Privacy Act will come into force on November 1, 2018. These sections require that if:

(a) there is any breach of an organization’s security safeguards involving personal information under its control, and

(b) it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual,

then the organization must notify both the individuals affected and the Privacy Commissioner of the breach. These notifications must be given as soon as feasible after the organization discovers the breach.

“Significant harm” is broadly defined – it includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property. When determining whether there is a real risk of significant harm to an individual, the organization should consider the sensitivity of the personal information involved in the breach and the probability that it has been, is being or will be misused.

Regulations to the Digital Privacy Act, which we expect to be published next week, will set out the information that must be included in these notifications and the way that they must be provided. We will post an update on this blog with further details once these regulations are released. At the very least, the notification to the affected individuals must be conspicuous and given to them directly, and it must contain sufficient information to allow the individual to understand the significance to them of the breach and to take steps, if any are possible, to reduce the risk of harm that could result from it or to mitigate that harm.

Organizations will also be required to notify any other organization or governmental institutions that may be able to mitigate or reduce the risk of harm that could result from the breach.

Data breaches can happen in any organization, and they pose both a reputational and business risk. As of this November, there will also be specific legal consequences if you fail to notify affected individuals (and the Privacy Commissioner) of data breaches that pose a real risk of significant harm to individuals.

Areas of Expertise

Related Blogs

Posted in: Data Protection | Privacy | Data Security/Privacy

Insights TheSpotlight
Ontario Court of Appeal Established New Privacy Rights – Utility Consumption Data and Grow Ops By Paige Backman Aug 21, 2017 If you are a utility monitoring consumption data, think twice before providing any of that information to the police. You may need to ensure the police first provide you with a warrant or other judicial authorization specifically requesting the information. The Ontario Court of Appeal, distinguis...

Posted in: Data Security/Privacy | CASL | GDPR | Data Protection

Insights TheSpotlight
With All Eyes Turned to CASL, is Anyone Paying Attention to GDPR? With Less Than One Year Before GDPR Takes Effect, Make Sure Your Organization is Ready By Paige Backman and Aaron Baer Jul 21, 2017 In early June, the Government of Canada came to its senses by suspending the provision of Canada’s Anti-Spam Legislation (“CASL”) that would have enabled a private right of action to be brought as of July 1, 2017. While this decision provided temporary relief to businesses who f...

Posted in: Data Security/Privacy | Data Protection

Insights TheSpotlight
Cyber Security, Risk, Response and Cyber Insurance By Paige Backman, Aaron Baer and Monica Carinci Jul 10, 2017 Relying on cyber infrastructure to operate has become fundamental to most businesses. Critical infrastructure, such as the power grid, hospitals, emergency response, water and transportation (land, water and air) rely heavily on cyber infrastructure that is often networked with many other systems...