Language selection


Consultation on mandatory breach reporting guidance

New provisions for mandatory reporting of privacy breaches under the Personal Information Protection and Electronic Documents Act (PIPEDA) come into force November 1, 2018.

As of that date, organizations subject to PIPEDA will be required to:

  • report to the Office of the Privacy Commissioner of Canada all breaches of security safeguards involving personal information that pose a real risk of significant harm to individuals;
  • notify affected individuals about those breaches; and
  • keep records of all breaches.

In September 2018, the Office of the Privacy Commissioner held a consultation on our draft guidance and form for mandatory breach reporting requirements, inviting feedback on this material.

What we heard

We received more than 20 submissions from various sectors, and incorporated that feedback into the material.

Our results and recommendations

On October 29, 2018, we published our final guidance document and reporting form to help organizations ensure they comply with their new obligations to report breaches of security safeguards:

Report a problem or mistake on this page
Error 1: No selection was made. You must choose at least 1 answer.
Please select all that apply (required):


Date modified: