Mandatory breach reporting is now in force for organizations regulated by the Personal Information Protection and Electronic Documents Act (PIPEDA).

PIPEDA’s Breach of Security Safeguard Regulations came in to force today, November 1, 2018. Mandatory breach notification has been in place in Alberta for years, and it is expected that British Colombia and Quebec will follow suit to ensure their privacy legislation remains ‘substantially similar’ to PIPEDA.

Organizations that suffer a breach of security safeguards that gives rise to a “real risk of significant harm” will be required to (i) report the incident to the Office of the Privacy Commissioner of Canada; (ii) notify affected individuals; and (iii) notify any other third party that is in a position to mitigate the risk of harm to affected individuals. These notifications must be made as soon as feasible after the organization determines that the breach has occurred.

Recently, the Office of the Privacy Commissioner of Canada released its breach guidance, “What you need to know about mandatory reporting of breaches of security safeguards”, in final form, following the September release of its draft guidance for consultation.