CANADA PRIVACY LAWS

Mandatory Breach Reporting and/or Consumer Notification

Within 30 days
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Vendor Specific Obligations
  • Vendor Mandated Contracts
  • Employee Training
  • Mandated Rights of the Individual
  • Require Vendors to Protect Personal Information
  • Verification of Vendor Protection/Security Program
  • Vendor Notification to Organization of Breach/Suspected Breach
Fines & Penalties

Violations of breach notification laws:

- Fines up to $100,000

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Third Party Management
  • Vendor Contract Required
Level Description
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • Privacy laws in Ontario are a mixture of federal laws and provincial laws.
  • Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) is based on the 10 principles of fair information practice.
  • Private-sector Organizations in Canada that collect, use or disclose personal information in the course of commercial activity are subject to PIPEDA.
  • Federally-regulated businesses operating in Canada engaged in commercial activity (FWUBs) are subject to PIPEDA, including their employees’ personal information.
  • All businesses operating in Canada who handle personal information that crosses provincial or national boarders are subject to PIPEDA.
  • Organizations must contract with Vendors for the processing of personal information or must have strict oversight (e.g., auditing) of Vendors if no contract exists.
  • Organizations with the direct consumer relationship are responsible for personal information in its possession and custody, including information it transfers to Vendors for processing.
  • Organizations and their Vendors processing personal information in the course of commercial, for profit activities must designate an individual(s) to be responsible for personal information under the Organization’s control.
  • Organizations and their Vendors must have policies and procedures in place for handling of and protection and security of personal information.
  • Organizations have the right to inspect or audit the Vendor’s policies and procedures for handling and protection of personal information.
  • Vendors processing personal information in an international jurisdiction are subject to the laws of its country and a contract cannot override those laws. It is important for Organizations to pay close attention to the legal requirements within each foreign Vendor’s jurisdiction.
  • Organizations transferring personal information to a Vendor located in a foreign jurisdiction are required to inform consumers that their personal information may be accessed by foreign courts, law enforcement and national security authorities in the foreign Vendor’s jurisdiction.
  • Organizations with the direct consumer relationship must be transparent when obtaining consent for the collection, use and disclosure of personal information.
  • Consumers have the right to request access to their personal information, request correction of their personal information withdraw consent or have their personal information deleted. Organizations must establish a process to ensure all Vendors processing that consumer’s information update the information as necessary.
  • Organization must keep internal records of its personal information management practices. The Office of the Privacy Commissioner of Canada (the “OPC”) has the right to audit an Organization’s records.
  • Breach reporting and consumer notification are mandatory.
  • If a Vendor experiences a breach of security safeguards involving an Organization’s personal information, the Vendor must notify the Organization.
  • The Organization in control of the personal information is responsible for any necessary consumer notifications and/or breach reporting to the OPC if it is determined that the breach will create a real risk of significant harm (RROSH) to an individual(s).
  • An Organization required to complete breach notification must also notify any entities or governmental institutions it believes can assist with reducing the risk of harm to the affected individuals (e.g., law enforcement, Vendors).
  • Organizations must keep internal records of every breach incident involving personal information under its control (even if it was determined that there was no real risk of significant harm). The records must be provided to the OPC upon request.
  • Privacy-by-Design, now globally practiced, was developed by the Information and Privacy Commissioner of Ontario.
  • PIPEDA may extend to an Organization if personal information crosses provincial or national borders.
  • PIPEDA does not apply to not-for-profits, charities and other organizations not engaged in commercial activity in which case provincial or territorial privacy legislation may apply.
  • PIPEDA is overseen by the Office of the Privacy Commissioner of Canada.
  • Health Organizations and their Vendors must have measures in place of the protection and security of personal information.
Statutes and Laws
  • Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA)
  • Ontario’s Personal Health Information Protection Act (PHIPA)
  • Ontario’s Freedom of Information and Protection of Privacy Act (FIPPA) and Ontario’s Municipal Freedom of Information and Protection of Privacy Act (MFIPPA)
  • Ontario’s Employment Standards Act (ESA)
BAck to map