Data Breach reporting and recordkeeping requirements coming to Canada

hand holding a ball with random numbers printed all over it

The Office of the Privacy Commissioner of Canada advises on their web site that with the Digital Privacy Act having received Royal Assent in June, 2015, this means that data breach reporting, notification and recordkeeping requirements will be brought into force once related regulations outlining specific requirements are developed and in place.

Once in force, here is what the government web site states regarding the new requirements:

  • Once in force, a major change is a new requirement for organizations to report to our Office and notify affected individuals and relevant third parties (in certain circumstances) about “breaches of security safeguards” that pose a “real risk of significant harm” to affected individuals. “Breach of security safeguards” is defined in PIPEDA and generally includes what is commonly known as a data breach.


  • The concept of “significant harm” includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss and identity theft among others. Factors that organizations will need to consider when assessing the presence of a real risk of significant harm include the sensitivity of the information involved and probability that the information was or will be misused (or any other prescribed factor).


  • Notification to affected individuals and reporting to the OPC will be required as soon as feasible after an organization determines that the breach has occurred. An organization will also be required to notify any other organization or government institution if it believes the other body may be able to reduce the risk of or mitigate the harm. For example, a retailer could notify a credit card issuing bank or law enforcement agency. The consent of individuals would not be required for such disclosures.


  • Organizations will also be required to keep a record of all breaches involving personal information and provide a copy to the OPC upon request. Organizations that knowingly fail to report to the OPC or notify affected individuals of a breach that poses a real risk of significant harm, or knowingly fail to maintain a record of all breaches could face fines of up to $100,000.


  • More specific requirements relating to breaches will be set out in associated regulations to be developed by the federal government.


  • Until the provisions come into force, breach reporting will remain voluntary. We continue to urge organizations to report breaches to our Office by visiting our privacy breaches reporting web page and to notify affected customers where appropriate in accordance with our breach notification guidelines.

Watch for our next blog on “10 tips for Reducing Likelihood of a Data Breach” as advised by the Office of the Privacy Commissioner of Canada, and how BSC Solutions Group can help.