Organizations subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) will soon be required to keep records of breaches, and to report breaches to affected individuals and the Office of the Privacy Commissioner of Canada (OPC). These and other provisions come into force on November 1, 2018, as described in our previous bulletin: Important New Rules for Mandatory Privacy Breach Notification, Reporting and Record Keeping in Canada.

The OPC recently published draft guidelines, What you need to know about mandatory reporting of breaches of security safeguards, which set out its expectations regarding organizations' compliance with the new provisions. The draft guidelines include, among other things, criteria for assessing reporting and notification obligations, a detailed breach reporting form, and information about when notices may be given indirectly.

The draft guidelines set out some expectations, which many will consider are not necessarily aligned with current practices, such as:

  • Where Company A subcontracts the processing of personal information to Company B and Company B experiences a breach, both companies are expected to report the breach to the OPC; and
  • Law enforcement must be notified of a breach where bad actors attack a company's computer system and could have accessed personal information.

Stakeholders have until October 2, 2018 to provide submissions to the OPC regarding the draft guidance, as provided in the Notice of consultation on new mandatory breach reporting guidance and form. For any questions or assistance in respect of a submission to the OPC, please contact a member of our Privacy and Cybersecurity Group.