In Canada there are more than 25 federal, provincial and territorial privacy statutes that govern the protection of personal information in the private, public and health sectors. Although these statutes vary in scope, requirements, and enforcement, there are similar provisions covering the collection, use and disclosure of personal information.
The primary federal data protection statute is the Personal Information Protection and Electronic Documents Act (PIPEDA) which applies to organizations who collect, use and disclose personal information in the course of a commercial activity, including banks, financial services organizations, telecommunications companies, airlines, railways, and other interprovincial organizations.
Most of the Canadian Privacy Statutes contain safeguarding provisions designed to protect personal information. These require organizations to take reasonable technical, physical and administrative measures to protect personal information against loss or theft, unauthorized access, disclosure, copying, use, modification or destruction.
Breach Notification Requirements & Exemptions
Currently, Alberta is the only province with breach notification requirements. However, proposed amendments to PIPEDA would require notice of material breaches be made to the Office of the Privacy Commissioner of Canada (OPC) and, in certain circumstances, to the individuals affected.