Skip to main content

Mandatory Breach Notification Regulations Now in Force

November 1, 2018

By Jennifer McKenzie, Catherine Lovrics and Amanda Branch  

Mandatory breach reporting is now in force for organizations regulated by the Personal Information Protection and Electronic Documents Act (PIPEDA). 

PIPEDA’s Breach of Security Safeguard Regulations came in to force today, November 1, 2018. Mandatory breach notification has been in place in Alberta for years, and it is expected that British Colombia and Quebec will follow suit to ensure their privacy legislation remains ‘substantially similar’ to PIPEDA.

Organizations that suffer a breach of security safeguards that gives rise to a “real risk of significant harm” will be required to (i) report the incident to the Office of the Privacy Commissioner of Canada; (ii) notify affected individuals; and (iii) notify any other third party that is in a position to mitigate the risk of harm to affected individuals. These notifications must be made as soon as feasible after the organization determines that the breach has occurred. 

Recently, the Office of the Privacy Commissioner of Canada released its breach guidance, “What you need to know about mandatory reporting of breaches of security safeguards”, in final form, following the September release of its draft guidance for consultation.

For more information, contact our Privacy, Cybersecurity and Data Protection team.

Content shared on Bereskin & Parr’s website is for information purposes only. It should not be taken as legal or professional advice. To obtain such advice, please contact a Bereskin & Parr LLP professional. We will be pleased to help you.