Mandatory Breach Notification Regulations Now in Force

November 1, 2018
By Jennifer McKenzie, Catherine Lovrics and Amanda Branch  

Mandatory breach reporting is now in force for organizations regulated by the Personal Information Protection and Electronic Documents Act (PIPEDA). 

PIPEDA’s Breach of Security Safeguard Regulations came in to force today, November 1, 2018. Mandatory breach notification has been in place in Alberta for years, and it is expected that British Colombia and Quebec will follow suit to ensure their privacy legislation remains ‘substantially similar’ to PIPEDA.

Organizations that suffer a breach of security safeguards that gives rise to a “real risk of significant harm” will be required to (i) report the incident to the Office of the Privacy Commissioner of Canada; (ii) notify affected individuals; and (iii) notify any other third party that is in a position to mitigate the risk of harm to affected individuals. These notifications must be made as soon as feasible after the organization determines that the breach has occurred. 

Recently, the Office of the Privacy Commissioner of Canada released its breach guidance, “What you need to know about mandatory reporting of breaches of security safeguards”, in final form, following the September release of its draft guidance for consultation.

For more information, contact our Privacy, Cybersecurity and Data Protection team.

Subscribe to our newsletter

You can unsubscribe at any time. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

This site is registered on as a development site.