Nova Scotia β municipal breach notification
MGA and FOIPOP frame municipal privacy obligations. OIPC NS has published municipal breach guidance.
As soon as practicable for material breaches.
- Most Atlantic municipalities use MS-ISAC equivalents through CCCS; coordinate with both.
What this means for a Nova Scotia municipality
Canadian municipalities sit under a provincial public-sector privacy framework β for Nova Scotia, that means the Office of the Information and Privacy Commissioner for Nova Scotia is your primary regulator. The trigger for notification is generally a real risk of significant harm to affected residents, evaluated on probability of misuse, sensitivity of the data, and the population reached.
Most small and mid-sized Nova Scotia municipalities also have to weigh federal coordination through the Canadian Centre for Cyber Security, vendor obligations under PIPEDA, and β for any cross-border data β US state breach statutes that apply by residency of the affected individual, not by the location of the municipality. The HackFirstAid triage walks through those layers in plain language and produces a printable summary you can hand to your CAO and council.
If you're reading this during a live incident, open the free triage first; if you're reading it on a quiet Tuesday, run it as a tabletop with your clerk, IT lead, and one council member. Most Nova Scotia municipalities run it once before they need it, then once for real, six months later.
Tax, permits, utility billing, and court scheduling encrypted on the same morning.
Fraudulent wire instructions on a vendor payment or payroll change.
Vital records, property assessments, or business licenses exposed or altered.