As of November 1, 2018, organizations subject to The Personal Information Protection and Electronic Documents Act (PIPEDA) will be required to:
- report to the Privacy Commissioner of Canada breaches of security safeguards involving personal information that pose a real risk of significant harm to individuals
- notify affected individuals about those breaches, and
- keep records of all breaches.
This guidance will provide an overview of what you need to know about these obligations.
On this page
- Part 1 – Your obligations for reporting breaches
- Part 2 – Submitting a breach report to the OPC
- Part 3 – You need to keep records of all breaches
- Part 4 – When and how to notify individuals
- Part 5 – Notification to Organizations
- Part 6 – Assessing real risk of significant harm
- PIPEDA breach report form
What will I learn from this guidance?
You will learn how to determine what breaches of security safeguards (also referred to in this document as breaches) have to be reported to the Office of the Privacy Commissioner of Canada (OPC), and what kind of notice you need to give individuals.
You will also learn about your obligation to keep records of breaches and what information needs to be included.
What is a breach of security safeguards?
A breach of security safeguards is defined in PIPEDA as: the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards that are referred to in clause 4.7 of Schedule 1 of PIPEDA, or from a failure to establish those safeguards.
Does this apply to small businesses?
Yes. Large and small business will be subject to PIPEDA requirements to report and notify breaches of security safeguards that pose a real risk of significant harm, and to keep records of all breaches of security safeguards.
Are there financial penalties?
Yes. Under PIPEDA it is an offence to knowingly contravene PIPEDA’s reporting, notification and record-keeping requirements relating to breaches of security safeguards, and doing so could lead to fines.
The OPC does not prosecute offences under PIPEDA or issue fines. What the OPC can do is refer information relating to the possible commission of an offence to the Attorney General of Canada, who would be responsible for any ultimate prosecution.
For additional information you can read what the law says.
Are there other materials I can read?
Yes. The OPC has other materials that you can read and use for training. These are:
- Tips for containing and reducing the risks of a privacy breach
- Securing personal information: A self-assessment tool for organizations
Once you have read those, we would encourage you to learn about accountability with our Getting Accountability Right with a Privacy Management Programdocument, developed in conjunction with the Information and Privacy Commissioners of Alberta and British Columbia.
Part 1 – Your obligations for reporting breaches
Do I need to report all breaches to the OPC?
No. The law requires that you report any breach of security safeguards involving personal information under your control if it is reasonable in the circumstances to believe that the breach of security safeguards creates a real risk of significant harm (RROSH) to an individual.
Whether a breach of security safeguards affects one person or a 1,000, it will still need to be reported if your assessment indicates there is a real risk of significant harm resulting from the breach.
Who is responsible for reporting the breach?
The Act requires an organization to report a breach involving personal information under its control. Therefore, the obligation to report the breach rests with an organization in control of the personal information implicated in the breach.
The term control is not defined in the Act and is used in a number of provisions and contexts, which can lead to some ambiguity as to its meaning.
Questions about the issue of control may arise in particular where an organization (the “principal organization”) has transferred personal information to a third party for processing and a breach occurs while the personal information is with the processor.
In this regard, we note that PIPEDA’s accountability principle provides that an organization remains responsible for the personal information it has transferred to a third party for processing. In addition, we have heard from many stakeholders that requiring both the principal organization and the processor to report the breach would be largely inconsistent with existing business practices and raise various operational concerns.
Therefore in this context, we find it reasonable to interpret the principal organization as having control of the personal information and therefore responsibility for breach reporting in respect of a breach that occurs with the third party processor.
In so doing, the principal organization will need to ensure there are sufficient contractual arrangements in place with the processor to address compliance with the breach provisions set out in PIPEDA. The same would be true for notification and record-keeping obligations.
That said, business relationships can be very complex and determining who has personal information “under its control” needs to be assessed on a case-by-case basis. This assessment can be informed by relevant contractual arrangements and commercial realities between organizations. Evolving business models and shifting roles may also impact the assessment. For instance, if an organization that is a processor uses or discloses the same personal information for other purposes, it is no longer simply processing the personal information on behalf of another organization and is thereby acting as an organization “in control” of the information.
In addition, an organization that processes personal information on behalf of another organization still has obligations under the Act in respect of the personal information in its possession or custody, as an organization that collects, uses or discloses personal information in the course of commercial activities.Footnote1
What is real risk of significant harm (RROSH)?
Significant harm includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.
Factors that are relevant to determining whether a breach of security safeguards creates a real risk of significant harm include the sensitivity of the personal information involved in the breach of security safeguards and the probability the personal information has been/is/will be misused.
You can find detailed information to find out how to assess if a breach of security safeguards poses a real risk of significant harm and needs to be reported.