Mandatory Breach Notification Regulations Now in Force

November 1, 2018

By Jennifer McKenzie, Catherine Lovrics and Amanda Branch  

Mandatory breach reporting is now in force for organizations regulated by the Personal Information Protection and Electronic Documents Act (PIPEDA). 

PIPEDA’s Breach of Security Safeguard Regulations came in to force today, November 1, 2018. Mandatory breach notification has been in place in Alberta for years, and it is expected that British Colombia and Quebec will follow suit to ensure their privacy legislation remains ‘substantially similar’ to PIPEDA.

Organizations that suffer a breach of security safeguards that gives rise to a “real risk of significant harm” will be required to (i) report the incident to the Office of the Privacy Commissioner of Canada; (ii) notify affected individuals; and (iii) notify any other third party that is in a position to mitigate the risk of harm to affected individuals. These notifications must be made as soon as feasible after the organization determines that the breach has occurred. 

Recently, the Office of the Privacy Commissioner of Canada released its breach guidance, “What you need to know about mandatory reporting of breaches of security safeguards”, in final form, following the September release of its draft guidance for consultation.

For more information, contact our Privacy, Cybersecurity and Data Protection team.

Information on this website is for information only. It is not, and should not be taken as, legal advice. You should not rely on, or take or not take any action, based upon this information. Professional legal advice should be promptly obtained. Bereskin & Parr LLP professionals will be pleased to advise you.

Author(s):

Jennifer McKenzie Jennifer McKenzie
B.A. (Hons.), LL.B.
Partner
416.957.1628  
Catherine Lovrics Catherine Lovrics
B.A., LL.B.
Partner
416.957.1163  
Amanda Branch Amanda Branch
B.A. (Hons) Psych., J.D.
Associate
416.957.1690