Draft Guidance Released Regarding Mandatory Breach Reporting Under PIPEDA


On September 17, 2018, the Office of the Privacy Commissioner of Canada (OPC) released draft guidance regarding PIPEDA’s new mandatory security and privacy breach notification requirements, which come into force on November 1, 2018.

Read our previous post about these requirements.

This guidance contains helpful information regarding how and when to report breaches of security safeguards to the OPC, the corresponding notice that must be provided to individuals, and record-keeping obligations associated with such breaches.

Of particular note, this guidance provides the following key pieces of information and clarification:

  • Not all breaches must be reported to the OPC. Rather, only those breaches that create a “real risk of significant harm” to an individual are the subject of mandatory reporting obligations. “Real risk of significant harm” is to be determined on a case by case basis, considering the sensitivity of the personal information involved in the breach and the likelihood that the personal information could be misused to inflict harm such as humiliation, damage to reputation, financial loss, identity theft or loss of employment, business or professional opportunities. Thus, the threshold for reporting is based less on the number of individuals affected and more on the magnitude of the harm likely to result.
  • Reporting should commence as soon as possible once the organization determines that a breach creates a real risk of significant harm. Having incomplete information should not delay a report; rather, an organization must report the information it has available, and update or correct information as appropriate following submission of the initial report.
  • The obligation to report resides with the organization in control of the personal information that is the subject of the breach; however, given the frequent use of third-party service providers, it is possible that the custody and control of personal information may be shared by multiples parties. In such a case, the OPC expects that all organizations involved in the breach report the breach to the OPC.
  • A report made to the OPC must contain information regarding the date of the breach, the circumstances of the breach, personal information involved, number of individuals affected, security safeguards in place at the time of the breach, description of how the affected individuals have (or will) be notified, steps taken to contain the breach and reduce risk of harm, and contact information for the person within the organization who can provide more information regarding the breach.
  • When a breach creates a real risk of significant harm, the individuals whose personal information was the subject of the breach must also be notified of the breach. In most cases, this notification must be provided directly to the individual (e.g. via telephone, mail or email); however, there are limited circumstances in which indirect notification is sufficient (e.g. via public announcement or advertisement, or prominent notice on the organization’s website).This notification must be provided as soon as possible following occurrence of the breach, and must include sufficient information to communicate the nature and significance of the breach so that the individuals are able to take any steps they may deem necessary to reduce the harm that may befall them. This information must be similar to that contained in the report provided to the OPC; however, it should also include steps that the affected individual may take to reduce risk and mitigate harm, and contact information that the affected individual may use to obtain more information regarding the breach.
  • If a breach may also be mitigated or the risk of harm reduced via notification of other government institutions or organizations, then notification of these bodies must also occur. For example, if a breach results in unauthorized access to payment card information, notification of relevant payment card issuers or processors must be made.
  • The obligation to maintain records regarding breaches is not limited to only those breaches that are reportable to the OPC. Rather, records of all breaches of personal information under an organization’s control must be maintained by the organization.These records must contain information regarding the date of the breach, the circumstances of the breach, personal information involved, and reporting and notification (including, if not reported, information regarding how the organization arrived at that decision). These records must be maintained for a minimum of two years.

The draft guidance includes a PIPEDA breach report form, which can be used by organizations to report security and privacy breaches to the OPC following the effective date of the breach notification requirements.

It is important to note that the draft guidance indicates various ways in which the OPC can handle the information in a breach report, including as the basis for initiating an investigation and in any ensuing investigation. As such, breach reports should be carefully prepared and reviewed before they are submitted.

The draft guidance and breach report form are consultation documents, and as such, the OPC has invited stakeholders to provide feedback on both documents by October 2, 2018. Following this date, final versions of both documents will be published in time for November 1, 2018. We will provide more information regarding these documents as it becomes available.

Note: This article is of a general nature only and is not exhaustive of all possible legal rights or remedies. In addition, laws may change over time and should be interpreted only in the context of particular circumstances such that these materials are not intended to be relied upon or taken as legal advice or opinion. Readers should consult a legal professional for specific advice in any particular situation.