Data leaks have followed one another without a break for several years. If a company is affected by a data theft and some of that data affects you, does it have to notify you personally?
YES, this is already the case nationwide for the following organizations:
- Companies whose operations cross provincial borders – and therefore collect information about customers outside of the province in which they are headquartered – and even national borders
- federally regulated entities such as banks, telecom companies, airports, etc.
In their cases it is Law on the Protection of Personal Data and Electronic Documents, PIPEDA, which is true. Since 2018, this federal privacy law has required them to notify you if they’ve been the victim of a data breach. In the case of PIPEDA, records of all security breaches must be kept for 2 years
And for smaller companies? The answer varies from state to state.
Alberta, which has its own privacy law for the private sector, requires the company to notify the provincial data protection officer. However, there is no formal obligation to notify you personally.
British Columbia also has a similar law in the private sphere, which does not, however, impose an obligation to notify the data protection officer or the data subjects.
Ontario, New Brunswick, Nova Scotia, and Newfoundland and Labrador have similar laws, but only with respect to the collection, use, and disclosure of personal health information.
As of September 22, Quebec is the only province where the law requires it Everyone Organizations – your local grocery store, your dentist, etc. – to notify you of “privacy incidents” that could cause you serious harm. The only exception is that the company or organization does not have to inform you if there is a risk that important investigations, such as criminal investigations, will be obstructed.
The company must also tell you who can answer your questions and what action to take. He must also inform the Commission d’accès à l’information, the CAI.
It is the company that assesses the risk of serious harm based on the sensitivity of the information in question, the possible consequences of using the information and the likelihood that it will be used against the victims of the incident. However, if the organization fails to report a data protection incident to the Commission d’accès à l’information, it faces criminal and administrative penalties, including fines of up to US$25 million or even more if it has a very high global turnover Has .
journalist: Francois Sancho
Journalist is looking for: Isabel Roberge
Award-winning entrepreneur. Baconaholic. Food advocate. Wannabe beer maven. Twitter ninja.