Ensuring the safety and security of Canadians’ personal information

New requirements for businesses to report data breaches

November 1, 2018 – Ottawa, Ontario
The Government of Canada is ensuring that Canada has strong privacy laws that safeguard Canadians’ personal information while also supporting innovation.

Today, new requirements under commercial privacy law come into force. These requirements detail how businesses will alert individuals if their personal information is lost or stolen and impose new financial penalties if this isn’t done.  These new reporting requirements and penalties will lead to more careful protection of Canadians’ personal information and empower Canadians to protect themselves and their information.

Under the new requirements, organizations that experience a breach of data security safeguards involving personal information must do the following:
  • determine if the breach poses a real risk of significant harm to any individual whose personal information was involved in the breach;
  • notify affected individuals as soon as feasible of any breach that poses a real risk of significant harm;
  • report any data breach poses a real risk of significant harm to the Privacy Commissioner of Canada as soon as possible;
  • where appropriate, notify any third party that the organization experiencing the breach believes is in a position to mitigate the risk of harm; and
  • maintain a record of any data breach it becomes aware of and provide it to the Privacy Commissioner of Canada upon request.

The financial penalties a company must pay if it fails to report include potential fines of up to $100,000 for companies that knowingly fail to notify individuals or report a breach to the Office of the Privacy Commissioner of Canada.

The regulations are implemented under the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s private-sector privacy law. The Act sets out the ground rules for how businesses collect, use or disclose personal information in the course of commercial activities.

Guidance material published by the Office of the Privacy Commissioner of Canada provides more details for businesses on how they should comply with their new obligations.

The collection, retention, use and disclosure of personal information by government institutions are governed by the Privacy Act. Federal institutions are already required to report material privacy breaches to the Office of the Privacy Commissioner and to Treasury Board Secretariat. 


“As a country, in order to reap the full rewards of the digital economy, Canadians must feel confident their data is safe and their privacy is respected. Our government is establishing new rules to keep Canadians informed about the way their data is handled by companies. These new regulations will hold companies accountable, empower Canadian consumers to protect themselves, and provide businesses with the type of clear rules that allow for greater innovation.” 
– The Honourable Navdeep Bains, Minister of Innovation, Science and Economic Development

Quick facts

  • The statutory requirements under PIPEDA encourage organizations to implement better information security practices and ensure that consumers are notified of breaches that may pose a risk of significant harm.
  • The new regulations provide further details on how organizations must comply with the mandatory reporting obligations by:
    • specifying the minimum requirements for providing a data breach report to the Privacy Commissioner of Canada;
    • specifying the minimum requirements for notifying affected individuals of a data breach; and
    • confirming the scope of and retention period for data breach recordkeeping.
Original Press Release


1 Comments Write your comment

    1. Loading...