Mandatory Breach Reporting: Lessons From Year One

The federal Privacy Commissioner (OPC) recently published a blog post detailing certain trends that have emerged in the first year since mandatory breach reporting came into effect for organizations subject to the Personal Information and Electronic Documents Act (PIPEDA), as well as certain tips for organizations for responding to a breach.

On November 1, 2018, breach reporting in certain situations became mandatory under PIPEDA. As detailed in the previous bulletin, “Canadian Personal Information Security Breach Obligations – Preparing for Compliance”, an organization that suffers any “breach of security safeguards” involving personal information under its control must maintain a record of the breach. If the breach presents a “real risk of significant harm to an individual”, the organization must also promptly report the breach to the OPC and give notice of the breach to affected individuals,  certain other organizations and government institutions. Since November 1, 2018, an organization’s knowing contravention of the personal information security breach reporting, notification (to individuals, but not to organizations or government institutions) and record-keeping obligations is an offence punishable by a fine of up to $100,000.

This content has been updated on May 2, 2024 at 13 h 50 min.