The basics of data breach notification law

If you’re wondering what an intellectual property lawyer does, this article will inform you about how they can help in protecting and enforcing your IP rights
The basics of data breach notification law

No matter how protective our business is of the data that it handles, there are times when data breaches still happen, either because of internal factors or external interference. For these cases, our data breach notification law has certain requirements that we should comply with. In any case, reaching out to a data privacy lawyer must be our first step when a breach occurs. 

What constitutes a data breach in Canada?  

Under the law, an organization—whether in the private or public sector—must establish security safeguards to protect the personal information they collected. Data breach happens when these security safeguards are breached, or when there’s failure to set up these security safeguards, which results either or both in the: 

  • loss of personal information 
  • unauthorized disclosure of personal information 

Data protection and data notification laws 

The main laws in Canada for the protection of personal information and the handling of data breach are:  

Recent Articles

Ontario Securities Commission reveals registrant advisory committee members for 2025-2026
Canadian Sustainability Standards Board debuts Canadian Sustainability Disclosure Standards
Breaking the billable hour: Inside Interac's push for alternative fee arrangements
  • the Personal Information Protection and Electronic Documents Act (PIPEDA), which applies to private sector businesses 
  • the Privacy Act, which applies to government institutions 
  • the provincial data protection and privacy laws, which may contain similar notification requirements as that of the PIPEDA and the Privacy Act 

What are the requirements under the data breach notification law?   

Canadian laws do not only require that personal information be protected by handling organizations, but that notifications be sent in cases of data breach. As a quick overview of what is required by the data breach notification law, watch this video from the CIPO: 

We’ll explain more about these requirements under Canada’s data breach notification law. To know more about them, you can also reach out to the best data privacy lawyers in Canada as ranked by Lexpert

When and how should a data breach notification be done? 

Under Canada’s data breach notification law, only when there’s a “real risk of significant harm” (“RROSH”) to an affected individual that a notification must be sent. The PIPEDA gave the following factors to determine if the data breach or breach of privacy causes a RROSH: 

  • the sensitivity of the personal information involved in the breach 
  • the probability that the personal information has been, is being, or will be misused 
  • any other factors 

This means that it will depend on your assessment whether the data breach in your organization or business, given these factors, causes a RROSH to an individual. These individuals will usually be your customers or the owners of the personal information that is put at RROSH. 

These notification requirements are also required even if you have transferred data processing to a third party. This is because the obligation rests upon the principal organization who controls the information, and not on the third-party processor. 

Whether you’re a third-party processor or the principal organization, it’s important to have these responsibilities spelled out, such as in a contract. It’s better to consult a data privacy lawyer to help you with this. 

Parties who should be notified in case of data breach 

There are two important parties that you need to notify in cases of a data breach: 

  • Office of the Data Commissioner (OPC) using their prescribed form 
  • individuals who own of the personal information that are breached  

Again, notifications will only be sent upon your determination that there are RROSH to these affected individuals.  

Real risk of significant harm (RROSH) 

Notifications to individuals hinge on the determination by your organization or business of the RROSH. The OPC further clarifies that “significant harm” can include: 

  • bodily harm 
  • humiliation 
  • damage to reputation or relationships 
  • loss of employment, business, or professional opportunities 
  • financial loss 
  • identity theft 
  • negative effects on the credit record 
  • damage to or loss of property 

These are in addition to the sensitivity of the personal information involved in the breach and the possibility of it being misused, as highlighted by the PIPEDA. 

Details that should constitute a data breach notification 

Canada’s data breach notification law, specifically the PIPEDA regulations, provides that a data breach notification should contain the following: 

  • circumstances of the data breach 
  • day or the approximate period of the data breach 
  • personal information affected by the data breach 
  • steps that the organization or business took, and the individuals can take, to reduce the risk of harm resulting from the data breach 
  • contact information that the affected individual can use for further information about the data breach 

In sum, the notification must have all the necessary information so that the affected individuals can understand the significance of the data breach.  

Methods of sending a data breach notification 

Under the data breach notification law, there are two ways to notify an affected individual of a data breach of their personal information: 

  • direct notification: the default method, which requires that the notification be conspicuous and given directly to the individual (e.g., in person, by telephone, mail, email, etc.) 

  • indirect notification: this is only allowed if direct notification will harm the affected individual or cause undue hardship for your organization, or if you don’t have the contact information of the affected individuals 

When you resort to indirect notification, public announcements may be used to reach affected individuals of the breach. Some examples would be: 

  • advertisements on online or offline newspapers 
  • announcement on official websites and social media accounts 

How long should a company wait to notify affected persons in a data breach? 

The PIPEDA says that a notification must be sent to the OPC and the affected individuals as soon as feasible, after it has been determined that a data breach has occurred. As such, your business or organization must be quick to go over all the processes of determining whether there’s data breach, if there’s RROSH, and who are the affected individuals. Having an established procedure, with the help of a data privacy lawyer, can help you immediately notify the affected persons in case of a data breach. 

You can also use our directory of the Lexpert-ranked best law firms for data protection and privacy in Canada. This page can be filtered according to province and city.