Canadian Digital Privacy Act Raises Stakes

Veriphyr reports impermissible use of patient data the first time it happens.

Digital Privacy Act

Recently, Canada added an amendment to the Personal Information Protection and Electronic Documents Act (PIPEDA). The Digital Privacy Act creates new, stricter obligations for record-keeping, reporting, and notification of data breaches.

The Act places emphasis on putting data into context to determine its sensitivity. As a rule, personal health information (PHI) is always considered to be sensitive. Health care providers thus are under even closer scrutiny to adopt protective measures against data breaches (a).

Under The Act, a data breach is defined as

“the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards… or from a failure to establish those safeguards” (a).

This widening of the definition of a data breach means organizations will have to work even harder to comply.


Record Keeping Obligation

The record-keeping obligation goes into effect when there is any breach, no matter how small. Under the act, a breach occurs anytime protected information is visible to someone not authorized to see it. This includes leaving a document on a messy desk or opening a document on a laptop where the screen is visible to the person next to you (a).

Alan Norquist, expert in data privacy, compliance, confidentiality and security gives an in depth talk on detecting privacy breaches.


Reporting and Notification Obligations

The reporting and notification obligations go into effect when there is a breach with a risk of “significant harm”. Significant harm includes “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property” (b).


“The mandatory notification requirements will place more organizations under public scrutiny – and likely accelerate the upward trend in data breach class action lawsuits” – (a)


New mandatory data breach response obligations include updating training and policies, and facilitating internal breach reporting.

In addition, all responsibility for a data breach will fall on the organization itself in both the case of a lawsuit or reputational damage. This includes breaches by an organization’s own employees or subcontractors.


Non-Compliance Consequences

Not complying with the obligations established by the Digital Privacy Act can lead to fines of up to $100,000 per violation, civil lawsuits, investigation by the Privacy Commissioner of Canada, and damage to the organization’s reputation (b).


Recommendations for Organizations

New record-keeping requirements pose new challenges. For one, organizations must devote resources to record every breach that occurs. In addition, they need to create a standard form with legal consultation to document high risk breaches.

Organizations are also highly recommended to prepare for and protect against breaches by their own employees. Internal breaches can range from accidentally faxing information to the wrong location, curiously scrolling through patient data, to actively selling information online.

Veriphyr can be a powerful tool to help healthcare organizations under this new law. Using advanced data analytics, Veriphyr can detect impermissible use of patient data the first time it happens.



(a) Digital Privacy Act Mandatory Data Breach Response Obligations Effective November 1, 2018: 5 Key Focus Areas For Your Compliance Plan – August 20, 2018