Much attention has been given recently to the Digital Privacy Act  and the changes that will come into force later this year under the Personal Information Protection and Electronic Documents Act (“PIPEDA”)  in respect of mandatory breach reporting and recordkeeping. Do PIPEDA and the Digital Privacy Act apply to pension plans? In Part I of a two-part blog post, we discuss the new provisions. In Part II of the post, we discuss the potential application of the new provisions and PIPEDA to employers who provide pension plans to their employees.
Digital Privacy Act
In June 2015, the Canadian federal government passed the Digital Privacy Act. A number of amendments were made to PIPEDA as a result. The most significant of such amendments were the provisions in respect of mandatory breach notification and recordkeeping. These provisions are not yet in force but will come into force effective November 1, 2018.
Under the new provisions, organizations subject to PIPEDA must report a breach of a security safeguard to the Office of the Privacy Commissioner of Canada (the “Privacy Commissioner”) where it is reasonable to believe that the breach creates a “real risk of significant harm” to affected individuals. The term “significant harm” includes, among other things, bodily harm, humiliation, damage to reputation or relationships, financial loss, identity theft, negative effects on credit record and damage to or loss of property.
In addition to requiring that a breach be reported to the Privacy Commissioner, the new legislation requires organizations affected by a security breach: (i) to notify affected individuals as soon as feasible after the organization determines that the breach has occurred; and (ii) to notify any other organization or government institution it believes may be able to reduce the risk of or mitigate the harm caused by the breach.
Beyond the mandatory breach reporting obligations, organizations will be required to keep a record of all breaches involving personal information for a minimum of 24 months after the breach has occurred. The organization will also be required to provide a copy of the record to the Privacy Commissioner upon request.
Fines of up to $100,000 may be imposed under PIPEDA if an organization knowingly fails to report to the Privacy Commissioner or fails to notify affected individuals of a breach that poses a real risk of significant harm.
Application to Pension Plans?
Do the new provisions apply to employers who provide pension plans to their employees? Yes, if PIPEDA applies.
What do the new provisions mean for employers who are subject to PIPEDA and who provide pension plans to their employees? It means that in the event of a breach involving plan member information, the affected organization (e.g., the employer plan sponsor or administrator) may be required to notify the Privacy Commissioner and the affected individuals, which could include plan members, former and retired plan members and other plan beneficiaries. The affected organization may also be required to notify any other organization or government institution which it believes may be able to reduce the risk of or mitigate the harm caused by the breach, which could include the applicable pension regulator. The employer plan sponsor or administrator will also be required to keep a record of the breach.
In Part II of our post, we discuss the potential application of the new provisions and PIPEDA to employers who provide pension plans to their employees.
For further information, please contact Kim Ozubko at firstname.lastname@example.org or (416-597-4338),
or subscribe to our A.M. Pension Blog and webinar series to stay informed on latest developments.
 SC 2015, c 32.
 SC 2000, c.5.
 PIPEDA, s. 10.1(7).