On November 1, 2018, the mandatory breach reporting requirements under PIPEDA officially came into force.

Earlier this week, the Office of the Privacy Commissioner of Canada (OPC) also confirmed its guidance regarding PIPEDA’s new mandatory security and privacy breach notification requirements. This guidance contains helpful information regarding how and when to report breaches of security safeguards to the OPC, the corresponding notice that must be provided to individuals, and record-keeping obligations associated with such breaches.

Read our previous posts about these requirements and the guidance.

In the finalized guidance, the OPC has provided some further clarification on responsibility for reporting of breaches when more than one organization is involved (such as when an organization has transferred information to a service provider). In particular, the OPC has confirmed that it will generally interpret the principal organization as having control of personal information and therefore responsibility for breach reporting in respect of a breach that occurs with the third party service provider. However, the OPC also emphasized that ultimately this question will need to be assessed on a case-by-case basis and that service providers continue to have a number of obligations with respect to personal information under PIPEDA.