It’s been a long time coming, but we finally know that mandatory breach notification is coming to Canada. Beginning November 1, 2018, the Personal Information Protection and Electronic Documents Act (PIPEDA) will require notification to affected individuals and the federal Privacy Commissioner when a security incident involving personal information results in a “real risk of significant…
Practice Area: Information, Data Security & Privacy
IPC Provides Important Guidance on New PHIPA Annual Reporting Obligations
Organizations which provide healthcare and are governed by the Personal Health Information Protection Act (PHIPA) should note that recent amendments to PHIPA require health information custodians (HICs) to file an annual report disclosing all security incidents involving theft, loss and unauthorized use or disclosure of personal health information to the Information and Privacy Commissioner. At…
The Right to Be Forgotten Comes to Canada
On January 26, 2018, the Office of the Privacy Commissioner of Canada issued a new position on the protection of online reputation. In doing so the OPC recognized a right to have personal information de-indexed from search engine results if it is inaccurate, incomplete or out-of-date. Although the position is in draft, is nonetheless of…
Procedural Power of Courts Not Constrained by PIPEDA
In Royal Bank of Canada v. Trang, the Supreme Court of Canada held that the Personal Information Protection and Electronic Documents Act (PIPEDA) does not interfere with the procedural powers of a court. The decision arose out of a situation in which past judicial interpretation and application of PIPEDA had impeded the ability of the…
Ten Incident Response Tips – Part 2
In Part 1 of this two-part series on data security incident response, we identified five “norms” to guide your incident response process…
Ten Incident Response Tips – Part 1
Responding to a data security incident is as much art as science. Whatever size your organization and whatever risks you face, you should have a detailed incident response plan to guide the efforts of a defined incident response team…
Supreme Court Affirms Supremacy of Solicitor-Client Privilege
In Alberta (Information and Privacy Commissioner) v. University of Calgary, a majority of the Supreme Court of Canada (with two justices partially concurring) affirmed that the University of Calgary was justified in its refusal to produce certain documents over which it had claimed solicitor-client privilege to the Information and Privacy Commissioner of Alberta (Commissioner). The…
Reaching Out – Twelfth Edition
Even though the weather has been spring-like, we are pleased to provide our Fall 2016 edition of Reaching Out…
First CASL Decision Invites Long-Desired Feeling of Normality
Canada’s Anti-Spam Legislation is relatively new, onerous and far from elegant. Organizations have been weighing the risks the best they can – and in doing so have puzzled over how to account for CASL’s provision for penalties of up to $10 million. On October 26th, the CRTC issued a decision in which it held that a company…
Federal Privacy Commissioner Uses Ashley Madison Incident to Promote Good Information Governance
Organizations subject to Canadian privacy law should be aware that the Office of the Privacy Commissioner of Canada (together with the Australian Information Commissioner) recently issued a report on the 2015 breach of the Ashley Madison website – a breach that affected nearly 35 million individuals who had used the online dating site for adults…