Government of Canada / Gouvernement du Canada
Symbol of the Government of Canada

Search

Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5)

Act current to 2019-07-01 and last amended on 2019-06-21. Previous Versions

Marginal note:Report to Commissioner

  •  (1) An organization shall report to the Commissioner any breach of security safeguards involving personal information under its control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual.

  • Marginal note:Report requirements

    (2) The report shall contain the prescribed information and shall be made in the prescribed form and manner as soon as feasible after the organization determines that the breach has occurred.

  • Marginal note:Notification to individual

    (3) Unless otherwise prohibited by law, an organization shall notify an individual of any breach of security safeguards involving the individual’s personal information under the organization’s control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual.

  • Marginal note:Contents of notification

    (4) The notification shall contain sufficient information to allow the individual to understand the significance to them of the breach and to take steps, if any are possible, to reduce the risk of harm that could result from it or to mitigate that harm. It shall also contain any other prescribed information.

  • Marginal note:Form and manner

    (5) The notification shall be conspicuous and shall be given directly to the individual in the prescribed form and manner, except in prescribed circumstances, in which case it shall be given indirectly in the prescribed form and manner.

  • Marginal note:Time to give notification

    (6) The notification shall be given as soon as feasible after the organization determines that the breach has occurred.

  • Marginal note:Definition of significant harm

    (7) For the purpose of this section, significant harm includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.

  • Marginal note:Real risk of significant harm — factors

    (8) The factors that are relevant to determining whether a breach of security safeguards creates a real risk of significant harm to the individual include

    • (a) the sensitivity of the personal information involved in the breach;

    • (b) the probability that the personal information has been, is being or will be misused; and

    • (c) any other prescribed factor.

  • 2015, c. 32, s. 10
Date modified: