Data Breaches Under Canada's Digital Privacy Act (DPA)

Canada's Digital Privacy Act (DPA) amended Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) in 2015. Among other changes to PIPEDA, the Canada DPA dictates what organizations that handle Canadian residents' personal information need to do to prevent and mitigate harm from data breaches.

This article explains what Canada's Digital Privacy Act (DPA) is, who it applies to, what it requires organizations to do regarding data breaches, and how to comply with the law's data breach requirements.

What is Canada's Digital Privacy Act (DPA)?

The Canada Digital Privacy Act (DPA) amends PIPEDA, which is Canada's main privacy law. It explains the steps organizations should take to protect Canadian residents' personal information and what they need to do should a data breach occur.

What is Personal Information Under Canada's Digital Privacy Act (DPA)?

Personal information under the Canadda DPA is any information that can be used to identify an individual. Personal information can include names, email addresses, and financial and health information.

What are Data Breaches Under Canada's Digital Privacy Act (DPA)?

Data breaches fall under what the Canada DPA refers to as "breaches of security safeguards that create a real risk of significant harm."

The Canada DPA defines a "breach of security safeguards" as a circumstance in which personal information is lost or accessed or shared without authorization. A data breach can also occur due to a failure to set up adequate security safeguards.

Factors that help determine whether a data breach could cause "a real risk of significant harm" include:

• The sensitivity of the personal information affected by the breach
• The likelihood that the personal information has, is, or will be misused

Significant harm under PIPEDA can encompass physical harm, reputational injury, emotional damage, identity theft, and more:

Who Does Canada's Digital Privacy Act (DPA) Apply to?

The Canada DPA applies to any organizations that are subject to PIPEDA. PIPEDA applies to private-sector organizations that collect, use, or share Canadian residents' personal information while conducting commercial activities (financial transactions).

Organizations both within and outside of Canada must comply with PIPEDA. Federally regulated organizations (such as airlines, banks, and telecommunications companies) must also comply with PIPEDA.

Some Canadian provinces have privacy laws similar to PIPEDA. As long as private-sector organizations in those provinces comply with comparable privacy laws, they are exempt from PIPEDA.

The Office of the Privacy Commissioner of Canada's (OPC) website explains who PIPEDA applies to and defines commercial activity under the law:

What Does Canada's Digital Privacy Act (DPA) Require Regarding Data Breaches?

The Canada DPA added several amendments to PIPEDA, including provisions concerning breach reporting.

To comply with the Canada DPA, applicable organizations must take the following steps as soon as possible after a data breach:

• Report data breaches to the OPC
• Notify individuals of a data breach that could potentially cause them harm
• Explain any steps individuals should take to reduce potential harm from a data breach
• Notify any other organizations or government institutions that could help reduce harm from a data breach
• Keep a record of all data breaches involving personal information
• Supply the OPC with a copy of their data breach record upon request

How Do You Comply With Canada's Digital Privacy Act (DPA) Data Breach Requirements?

There are a few steps you should take to comply with the Canada DPA data breach requirements, including reporting and keeping a record of data breaches and maintaining security safeguards to protect personal information.

Report Data Breaches to the OPC

Data breaches that involve personal information need to be reported to the OPC. You should make the report as soon as possible after the discovery of the data breach.

For instance, let's say a professional networking platform finds out it has been hacked and its users' personal information has been sold on the dark web. If some of the information belongs to Canadian users, the platform would need to contact the OPC right away to inform it of the breach.

The OPC's website contains information about how businesses can report a data breach and includes links to a data breach guidance page, a PIPEDA breach report form, and its breach reporting portal, as well as its phone numbers:

Inform Affected Parties

You should notify affected parties about the data breach as soon as possible after it occurs. The notification should include information about what happened and what steps you are taking to mitigate potential damage caused by the data breach.

Continuing with the example of the hacked professional networking platform, the company would need to contact any Canadian users whose personal information had been affected by the data breach. It should let affected individuals know what happened and what steps they can take to reduce their risk of harm (such as changing their passwords).

The Breaches of Security Safeguards section of PIPEDA explains that organizations must contact individuals affected by a data breach as soon as possible:

Notify Organizations That Can Help Reduce Harm

The Canada DPA requires organizations affected by a data breach to notify other organizations, including government agencies, if they could potentially help reduce harm from the data breach.

For example, if a data breach exposed individuals' financial information, the affected organization might contact users' credit card companies and banks to let them know about the breach and request monitoring of jeopardized accounts.

The Breaches of Security Safeguards section of PIPEDA explains that organizations should contact any other organizations or government entities that might be able to help reduce the risk of harm from a data breach. Contact with these organizations should be made as soon as possible after notifying the individual whose personal information was involved in the data breach:

Keep a Record of Data Breaches

You should keep a record of any data breaches that involve Canadian residents' personal information. You will need to give a copy of the data breach record to the OPC upon request.

The Breaches of Security Safeguards section of PIPEDA requires organizations to keep a record of data breaches involving personal information:

Establish and Maintain Adequate Security Safeguards

Applicable organizations must take steps to keep the personal information they collect or use safe.

You should establish the following safeguards to ensure compliance with the Canada DPA:

• Physical protection: Such as locked doors and security cameras
• Security protocols: Such as security clearances, staff training, and limiting access to personal information
• Technological security measures: Such as strong passwords, firewalls, and encryption

You should provide additional protection for more sensitive information, and take extra care when destroying or disposing of personal information.

Principle 7 of PIPEDA describes the security methods organizations should employ to protect personal information, including implementing physical and technological safety measures:

Responding to a Data Breach

It's a good idea to have a plan in place for how to manage a data breach.

For example, a business's damage control plan might include conducting a company-wide security audit, offering free credit monitoring services to affected individuals, and restricting access to its systems until it can guarantee their security.

The OPC's website details best practices for preventing and responding to a data breach, including designating a lead investigator, preserving evidence, and developing a prevention plan:

What Happens If You Don't Comply With Canada's Digital Privacy Act (DPA)?

Failure to comply with the Canadad DPA can result in hefty fines of up to $100,000.

Organizations that intentionally fail to do any of the following run the risk of receiving financial penalties:

• Report data breaches to the OPC
• Notify affected individuals of any data breaches that could cause them significant harm
• Maintain a record of all data breaches

The Remedies section of PIPEDA explains that organizations that don't comply with the Breaches of Security Safeguards section of the law can be fined up to $10,000 per offense or up to $100,000:

The OPC states that failure to comply with the Canada DPA can lead to fines of up to $100,000:

Summary

Canada's Digital Privacy Act (DPA) amends PIPEDA to include data breach reporting and record-keeping requirements, among other changes.

The law applies to private-sector organizations (both within and outside of Canada) that collect or use Canadian residents' personal information for commercial purposes.

The Canada DPA requires applicable organizations to report data breaches to:

• The Office of the Privacy Commissioner of Canada
• Affected individuals
• Any organizations or government agencies that can help reduce harm from the data breach

Organizations must also keep a record of all data breaches and supply the OPC with data breach records upon request.

You should take the following steps to comply with the Canada DPA's requirements:

1. Report data breaches to the OPC
2. Contact affected individuals
3. Explain the steps individuals should take to reduce harm from the data breach
4. Notify other organizations or government entities that could help reduce harm from the data breach
5. Establish and maintain security safeguards (including providing extra security for sensitive information)
6. Create a plan for responding to and managing a data breach
7. Keep a record of all data breaches involving personal information
8. Provide the OPC with a copy of your data breach record upon request

If you knowingly fail to comply with the Canada DPA, you can face fines of up to $100,000.