The OPC has just released its breach guidance in final form. These final guidelines entitled -- What you need to know about mandatory reporting of breaches of security safeguards -- clarify an important point that was left uncertain in the earlier draft version, namely, who has the obligation to report in the context of a data breach that occurs while the personal information is with a third party processor.
The OPC's guidance confirms that, generally speaking, it is reasonable to interpret the principal organization (the "accountable entity" or "controller" in GDPR terms) as having "control" over the information in such circumstances and therefore, bearing the responsibility for breach reporting. More specifically, here is what the OPC guidance document says in this regard:
"The Act requires an organization to report a breach involving personal information under its control. Therefore, the obligation to report the breach rests with an organization in control of the personal information implicated in the breach.
The term control is not defined in the Act and is used in a number of provisions and contexts, which can lead to some ambiguity as to its meaning.
Questions about the issue of control may arise in particular where an organization (the "principal organization") has transferred personal information to a third party for processing and a breach occurs while the personal information is with the processor.
In this regard, we note that PIPEDA's accountability principle provides that an organization remains responsible for the personal information it has transferred to a third party for processing. In addition, we have heard from many stakeholders that requiring both the principal organization and the processor to report the breach would be largely inconsistent with existing business practices and raise various operational concerns.
Therefore in this context, we find it reasonable to interpret the principal organization as having control of the personal information and therefore responsibility for breach reporting in respect of a breach that occurs with the third party processor. (our emphasis)"