
Publication
Recent developments on AI in federal government institutions
Canada’s proposed artificial intelligence (AI) legislation, the Artificial Intelligence and Data Act, died on the Order Paper earlier this year when Parliament was prorogued.
Canada | Publication | September 29, 2020
In light of a recent Office of the Privacy Commissioner publication, companies should note the importance of sometimes-overlooked breach compliance activities, including documenting a data breach and how implementing an effective breach management system can be an important compliance tool.
The federal Office of the Privacy Commissioner (OPC) recently published the 2019 Breach Record Inspection report (report)1 on how organizations are addressing personal information breach record keeping and notification obligations under the Personal Information Protection and Electronic Documents Act (PIPEDA).2 The report provides guidance for organizations on assessing and documenting a ‟real risk of significant harm” (RROSH), which triggers notification to the regulators and individuals.
A key takeaway from the report is the importance for organizations to have a breach management system in place that consistently and appropriately assesses whether there is a RROSH if a breach occurs. Furthermore, a record-keeping system that sufficiently documents such assessment may serve as evidence of compliance with the mandatory breach notification.
PIPEDA requires not only that an organization report all RROSH breaches but that it records all breaches whether reportable or not. In cases where no RROSH is found, an organization should also make sure enough detail about the RROSH assessment should be documented for future investigation by the OPC. Some of the practices that the OPC described included:
Breach records must contain sufficient information for the OPC to verify an organization’s compliance with mandatory breach reporting and notification requirements. The report further describes the following practices in regards to record keeping:
In addition to including the above elements in its breach management system, the report recommends that organizations continually audit and improve these systems (including to ensure an organization’s staff are not under-reporting breaches). An organization may want to therefore review its current breach management system to ensure that it includes the elements outlined in the report, as well as procedures to continually audit and improve the same.
The authors wish to thank law student Roxanne Caron for her help in preparing this legal update.
Publication
Canada’s proposed artificial intelligence (AI) legislation, the Artificial Intelligence and Data Act, died on the Order Paper earlier this year when Parliament was prorogued.
Publication
The US Corporate Transparency Act (CTA) is a law that requires companies to disclose information on their beneficial owners.
Publication
Health Canada has published a Notice of Intent to publish a ministerial order to exempt natural health products (NHPs) licensed between June 21, 2025, and June 21, 2028, from labelling requirements that are set to come into force this summer under the Natural Health Products Regulations (NHPR).
Subscribe and stay up to date with the latest legal news, information and events . . .
© Norton Rose Fulbright LLP 2025