Canada PIPEDA Incident Response Guidelines

How to prepare your business to comply with Canada’s long-standing privacy legislation

Canada first introduced comprehensive privacy legislation, known as the Personal Information Protection and Electronic Documents Act (PIPEDA), in 2000 and has amended the law several times since. PIPEDA carries penalties of up to $100,000 CAD per violation, making it critical for every organization to understand what’s required under the law.

Automate PIPEDA obligations with the BreachRx platform

Tailor your incident response plan in minutes so you know exactly what to do by when and take the crisis out of your incident response

Who is Subject to PIPEDA

Private sector organizations across Canada that collect, use, or disclose personal information during commercial activity are subject to PIPEDA.

What is personal information?Any factual or subjective information about an identifiable individual, including:

  • Age, name, ID numbers, income, ethnic origin, or blood type
  • Opinions, evaluations, comments, social status, or disciplinary actions
  • Employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, or intentions (e.g. to acquire goods or services or to change jobs)
What is commercial activity?Any transaction, act, or conduct that is “commercial” in nature, such as selling, bartering, or leasing.

Canada does make several exceptions to PIPEDA compliance for various types of organizations as well as various types of data.

Exempt organizations
Organizations located in provinces with substantially similar legislation to PIPEDA (Alberta, British Columbia, Quebec), unless personal information crosses provincial or national borders during commercial activities.Municipalities, universities, schools, and hospitals, unless they use personal information in a commercial way that is not central to their mandate or responsibilities and not covered by similar provincial law.Not-for-profit and charity groups and political parties and associations, unless they use personal information in a commercial way that is not central to their mandate.

 

Exempt types of data
Personal information handled by federal government organizations.Business contact information (e.g. employee name, title, business address, telephone number, or email addresses), if that information is collected, used, or disclosed solely for communications related to the individual’s employment.Personal information collected, used, or disclosed solely for journalistic, artistic, or literary purposes.

 

The following federally regulated organizations that conduct business in Canada are always subject to PIPEDA, and the law also covers the personal information of their employees:

  • Airports, aircrafts, and airlines
  • Banks
  • Inter-provincial or international transportation companies
  • Telecommunications companies
  • Offshore drilling operations
  • Radio and television broadcasters

How Canada Enforces PIPEDA

Failure to comply with PIPEDA can carry a fine of up to $100,000 CAD per violation. Organizations can also face criminal prosecution if they purposely destroy information after receiving a request for review, retaliate against employees for complying with PIPEDA, or attempt to hinder investigations.

Who Enforces PIPEDA?

The Office of the Privacy Commissioner of Canada (OPC) has the power to review, investigate, and enforce PIPEDA.

What Enforcement Powers Exist?

OPC investigations can lead to a hearing in federal court, a public interest disclosure, an audit of privacy practices, compliance agreements, or a report of offenses.

What Services Does the OPC Offer?

The OPC offers free advisory services to help organizations comply with PIPEDA, including reviewing privacy practices to identify risks and areas for improvement.

Security Safeguards and Data Breach Reporting Under PIPEDA

A 2018 amendment requires organizations to report any data breach that creates a real risk of significant harm for individuals and to keep records of data breaches for 24 months after discovery.

What is a breach of security safeguards?Any instance of loss or unauthorized access, use, or disclosure of personal information.
What is “significant harm”?Bodily harm
Humiliation, reputational damage, or relationship damage
Loss of employment, business, or professional opportunities
Financial loss, identity theft, or any negative impact to credit records
Damage to or loss of property
How can organizations determine if a “real risk of significant harm” exists?By conducting an assessment of the sensitivity of the personal information involved in a breach and weighing the probability that the information could be misused.

Incident Response Measures Required Under PIPEDA

Any organization that experiences a data breach must follow incident response requirements for issuing notifications when there is a real risk of significant harm and for keeping records about the breach, regardless of the risk of harm.

Who to Notify About a Data Breach

The OPC, affected individuals, relevant third parties (such as those that process or control information involved in the breach), and any government institutions or organizations that might help reduce the risk of harm for individuals (i.e. law enforcement or payment processors).

When to Issue a Data Breach Notification

As soon as possible once the organization has determined a breach occurred and that it meets the requirements to create a real risk of significant harm.

How to Issue a Data Breach Notification to the OPC

Notifications to the OPC must be in writing and include:

  • The circumstances of the breach and its cause (if it’s known)
  • When the breach occurred
  • The personal information affected in the breach
  • The number of individuals affected by the breach
  • Steps taken to reduce the risk of harm to affected individuals
  • Steps taken or ones the organization will take to notify affected individuals
  • Name and contact information of a contact person

How to Issue a Data Breach Notification to Affected Individuals

Notifications to individuals must be conspicuous and given directly to individuals in person, by telephone, mail, email, or any other form of communication that a reasonable person would consider appropriate in the circumstances. This notification must include:

  • The circumstances of the breach and its cause (if it’s known)
  • When the breach occurred
  • The personal information affected in the breach
  • The number of individuals affected by the breach
  • Steps taken to reduce the risk of harm to affected individuals
  • Steps affected individuals can take to reduce the risk of harm
  • Name and contact information for someone that affected individual can contact to obtain more information about the breach

Note: Organizations can issue an indirect notification if a direct notification is likely to cause further harm to affected individuals or cause undue hardship for the organization, or if the organization does not have contact information for affected individuals.

An indirect notification is any public communication that can be reasonably expected to reach the individuals, such as advertisements in print or digital newspapers in combination with a prominent notice on the company website.

What Records Organizations Must Keep

Organizations must keep a record of every security breach for at least two years, regardless of whether or not there is a real risk of significant harm. Details to record include:

  • Date or estimated date of the breach
  • General description of breach circumstances
  • Nature of information involved in the breach
  • Whether or not the organization reported the breach to the OPC and affected individuals

(If the breach was not reported) An explanation of why the organization determined there was no real risk of significant harm

Examples of Incidents That Can Trigger a Notification Under PIPEDA

Any incident that creates a real risk of significant harm will trigger a notification under PIPEDA. Common examples include:

ransomware

Ransomware

A digital attack in which malware gets used to steal data and hold it captive in exchange for money. Even if the company retrieves the data, if personal information was exposed, it can create a real risk of significant harm.

data-theft

Exfiltration

Techniques for stealing data used in most cyber attacks to give unauthorized users access to data for transfer to their own servers or devices. If any personal information is involved, it can create a real risk of significant harm.

Phishing malware or trojan

Trojan Attack

An attack that hides a malicious program inside of legitimate software to create an entry point for hackers to access data. This can expose personal information and create a real risk of significant harm.

How Organizations Can Prepare for PIPEDA

PIPEDA requires organizations to be accountable. This means appointing someone to be responsible for compliance, protecting personal information held by the organization, and developing a privacy management program. To meet these requirements, organizations must take a proactive approach to three critical phases of incident response:

Preparation
Be ready to quickly and confidently respond when an incident occurs by:

  • Reviewing requirements for incident response outlined in PIPEDA, any other relevant laws, and contracts with customers and partners
  • Developing incident response plans that meet those requirements
  • Practicing and testing those plans through tabletop exercises

Response
Put response plans into action to reduce any penalties associated with the incident and mitigate long term public impact by:

  • Investigating the incident, including what happened, when it happened, what data was involved, who was affected, and if it meets the real risk of significant harm standard
  • Coordinating workflows to gather the necessary information and generate reports
  • Taking action to correct the issue and mitigate risk for those involved
  • Issuing notifications as required by PIPEDA and any other relevant laws

Recovery & Ongoing Management
Make incident response an ongoing effort by regularly reviewing plans as laws and contracts evolve, including:

  • Introducing a centralized dashboard as a single source of truth for all monitoring, reporting, and incident response plans
  • Sharing access with key stakeholders to secure alignment on response plans and ensure they know their responsibilities when an incident occurs

Make Proactive Incident Response a Priority

Canada has strengthened PIPEDA through amendments several times since it first introduced the law, and more changes are sure to come. Against this backdrop, organizations must make proactive incident response a priority to stay aware of updates and enable a faster response when a breach occurs — which will mitigate fallout and reduce costs.

Achieving this goal of proactive incident response requires organizations to understand privacy laws, assign responsibility internally, develop ready-to-use response plans, and regularly evolve those plans as laws like PIPEDA change over time.

Supercharge your incident response strategy with the BreachRx platform

Stop using spreadsheets and documents to keep track of the tasks you need to accomplish during an incident response.