If a company has a data breach involving personal data (i.e. staff names, addresses, Social Insurance numbers), there are three laws that may apply in Canada:
PIPEDA is Canada’s federal law covering cyber privacy and mandates that “… notification shall be given as soon as feasible…”. We have called the Office of the Privacy Commissioner who is the regulator and asked for clarification on what “…as soon as feasible…” actually means and was told:
The exact phrasing we received over the phone as “as soon as is feasible after an organization finds out that a breach could cause significant harm”.
Two important PIPEDA exemptions are:
PIPEDA does not apply to an employee’s name, title, business address, telephone number and email address,–which an organization collects, uses or discloses solely for the purpose of communicating with individuals in relation to their employment, business or profession. PIPEDA also exempts organizations that collect, use or disclose personal information solely for journalistic, artistic or literary purposes
PIPA is the Alberta, British Columbia and Quebec privacy legislation:
It is not uncommon to see summaries like: “…Ultimately, the GDPR applies to EU based companies and companies that collect data of EU citizens, regardless of a physical presence in the EU.”
Note that there is an higher standard of care required for medical information disclosures but those are not the topic we are considering here.
For additional information we suggest you consult a privacy lawyer and skim the following articles:
This website uses cookies.