What you need to know about mandatory reporting of breaches of security safeguards

As of November 1st 2018, organizations subject to The Personal Information Protection and Electronic Documents Act (PIPEDA) will be required to:

  • report to the Privacy Commissioner of Canada breaches of security safeguards involving personal information that pose a real risk of significant harm to individuals
  • notify affected individuals about those breaches, and
  • keep records of all breaches.

This guidance will provide an overview of what you need to know about these obligations.

On this page

Overview

What will I learn from this guidance?

You will learn how to determine what breaches of security safeguards (referred to in this document as “breaches”) have to be reported to the Office of the Privacy Commissioner of Canada (OPC), and what kind of notice you need to give individuals.

You will also learn about your obligation to keep records of breaches and what information needs to be included.

If you want to read the legal provisions relating to breaches of security safeguards, you can read them in PIPEDA and in the Breach of Security Safeguard Regulations.

What is a breach of security safeguards?

A “breach of security safeguards” is defined in PIPEDA as: the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards that are referred to in clause 4.7 of Schedule 1 of PIPEDA, or from a failure to establish those safeguards.

Does this apply to small businesses?

Yes. Large and small businesses all have to meet PIPEDA requirements to report and notify of breaches of real risk of significant harm, and keep records of all breaches.

Are there financial penalties?

Yes. Under PIPEDA it is an offence to knowingly contravene PIPEDA’s breach reporting, notification and record-keeping requirements and doing so could lead to fines.

The OPC does not prosecute offences under PIPEDA or issue fines. What the OPC can do is refer information relating to the possible commission of an offence to the Attorney General of Canada, who would be responsible for any ultimate prosecution.

For additional information you can read what the law says.

Are there other materials I can read?

Yes. The OPC has other materials that you can read and that you can use for training. These are:

Once you have read those, we would encourage you to learn about accountability with our Getting Accountability Right with a Privacy Management Program document, developed in conjunction with the Information and Privacy Commissioners of Alberta and British Columbia.

Part 1 – Your obligations for reporting breaches

Do I need to report all breaches to the OPC?

No. The law requires that you report any breach involving personal information under your control if it is reasonable in the circumstances to believe that the breach creates a “real risk of significant harm” (RROSH) to an individual.

Whether a breach affects one person or a 1,000, it will still need to be reported if your assessment indicates there is a “real risk of significant harm” resulting from the breach.

Who is responsible for reporting the breach?

The Act requires an organization to report a breach involving personal information “under its control.” Therefore, the obligation to report the breach rests with an organization in control of the personal information implicated in the breach.

In keeping with the accountability principle in PIPEDA, an organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. Accordingly, in these circumstances, it is responsible for reporting a breach that occurred with the third-party service provider.

There may be more than one organization in control of the same information involved in a breach, each with its own obligations under PIPEDA.

We expect that reports from all organizations involved in the breach should be sent to us, which will provide a complete overview of the particular breach, and the various players that are involved in the incident.

For example:

  • Company A engages Company B as a subcontractor to process personal information on Company A’s behalf.
  • Company A learns that Company B has incurred a breach that involves the personal information it is processing for Company A.
  • We would expect that both companies would report the breach to the OPC.

What is real risk of significant harm (RROSH)?

Significant harm includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.

The real risk of significant harm must be determined based on an assessment of the sensitivity of the personal information involved in the breach and the probability the personal information has been/is/will be misused.

You can find detailed information to find out how to assess if a breach poses a real risk of significant harm and needs to be reported.

Do you have a form I can use to report one of these breaches?

Yes. See the PIPEDA breach report form.

Can I add new information to a report already sent?

Yes. If you become aware of any new information you may report that information.

Part 2 – Submitting a breach report to the OPC

What do I need to include in a report to the OPC?

We have specific guidance on what to include in a report and how to file reports.

Part 3 – You need to keep records of all breaches

What records do I have to keep?

PIPEDA requires you to keep records of all breaches of personal information under your control – whether there is a real risk of significant harm or not.

To put it simply – there must be a record of every breach.

What should a record contain?

Records must contain any information that enables the OPC to verify compliance, for every breach and with breach reporting and notification requirements in sections 10.1(1) and (3) of PIPEDA.

As a starting point, we would expect at minimum a record to include:

  • date or estimated date of the breach;
  • general description of the circumstances of the breach;
  • nature of information involved in the breach;
  • whether or not the breach was reported to the Privacy Commissioner of Canada/individuals were notified; and
  • if the breach was not reported to the Privacy Commissioner/individuals, a brief explanation of why the breach was determined not to pose a “real risk of significant harm.”

Do records have to include personal information about people?

Records should describe the nature or type of information involved in the breach, but need not include personal details unless necessary to explain the nature and sensitivity of the information.

How long do I have to keep records?

The law requires you to keep breach records for two years.

You may have other legal requirements that may require you to keep them for longer.

Part 4 – When and how to notify individuals

When do I notify individuals?

Unless otherwise prohibited by law, anytime you determine that a breach poses a real risk of significant harm to an individual, you must notify the individual(s) concerned. The notification must be conspicuous and must be given directly to the individual, except in certain circumstances described in the regulations where indirect notification is permitted.

The law requires that notification to individuals must be given as soon as feasible after you have determined a breach involving a real risk of significant harm has occurred.

What do I have to include in notifications to individuals?

The notification must include enough information to allow the individual to understand the significance of the breach to them and to take steps, if any are possible, to reduce the risk of harm that could result from the breach or mitigate the harm.

As well, it should not be overly legalistic and it should be easily understandable.

The notification must include the following information specified in the regulations:

  • a description of the circumstances of the breach;
  • the day on which, or period during which, the breach occurred or, if neither is known, the approximate period;
  • a description of the personal information that is the subject of the breach to the extent that the information is known;
  • a description of the steps that the organization has taken to reduce the risk of harm that could result from the breach;
  • a description of the steps that affected individuals could take to reduce the risk of harm that could result from the breach or to mitigate that harm; and
  • contact information that the affected individual can use to obtain further information about the breach.

What is direct notification?

Direct notification is when you notify an individual in person, by telephone, mail, email or any other form of communication that a reasonable person would consider appropriate in the circumstances.

When can I indirectly notify individuals?

There are limited times when you can indirectly notify people. These are when:

  • direct notification would be likely to cause further harm to the affected individual;
  • direct notification would be likely to cause undue hardship for the organization; or
  • the organization does not have contact information for the affected individual.

What are examples of indirect notification?

Indirect notification must be given by public communication or similar measure that could reasonably be expected to reach the affected individuals.

This can include public announcements, such as advertisements in online or offline newspapers.

You should use a method that is likely to reach affected individuals. For example, a mention in a corporate blog may not have the reach of a prominent and dedicated public announcement campaign.

For indirect breach notifications, you should employ those measures you would for other public announcements. For example, consider how to incorporate media messaging, including a prominent notice made on your website, or other online/digital presence.

Part 5 – Notification to Organizations

What does this mean?

When you notify an individual of a breach involving a real risk of significant harm, you must also notify any other government institutions or organizations that you believe can reduce the risk of harm that could result from the breach or mitigate the harm.

What are some examples?

While each example depends on the specific circumstances, it could include:

  • Notifying law enforcement when there is an attack on your computer system where bad actors could have accessed your customers’ information.
    • Why: Because this can help law enforcement catch those bad actors to mitigate any harm to individuals.
  • Notifying everybody who processes your payments, including your payment processor or acquiring bank, in the case of a breach affecting individuals’ payment card information.
    • Why: Because this can reduce the risk of ensuing fraud on individuals’ credit card or bank accounts.

Part 6 – Assessing real risk of significant harm

As an accountable organization, you should develop a framework for assessing the real risk of significant harm. This will ensure that all breaches are assessed consistently.

The factors that are relevant to determining whether a breach of security safeguards creates a real risk of significant harm to the individual include:

  • the sensitivity of the personal information involved in the breach;
  • the probability that the personal information has been, is being, or will be, misused.

As a part of your assessment you should consider the following:

  1. Sensitivity:
    • PIPEDA does not define “sensitivity.” However, the concept of sensitivity of personal information is discussed in Principle 4.3.4 of PIPEDA which states:

      “Although some information (for example, medical records and income records) is almost always considered to be sensitive, any information can be sensitive, depending on the context. For example, the names and addresses of subscribers to a newsmagazine would generally not be considered sensitive information. However, the names and addresses of subscribers to some special-interest magazines might be considered sensitive.”
    • Following a breach, to determine sensitivity, it is therefore important to examine both what personal information has been breached and the circumstances.
    • Certain information may, on its face, be clearly sensitive. Other information may not be.
    • The circumstances of the breach may make the information more or less sensitive. The potential harms that could accrue to an individual are also an important factor.
  2. Probability of Misuse:

    Ask yourself the questions:
    • What happened and how likely is it that someone would be harmed by the breach?
    • Who actually accessed or could have accessed the personal information?
    • How long has the personal information been exposed?
    • Is there evidence of malicious intent (e.g., theft, hacking)?
    • Were a number of pieces of personal information breached, thus raising the risk of misuse?
    • Is the breached information in the hands of an individual/entity that represents a reputation risk to the individual(s) in and of itself? (e.g. an ex-spouse or a boss depending on specific circumstances)
    • Was the information exposed to limited/known entities who have committed to destroy and not disclose the data?
    • Was the information exposed to individuals/entities who have a low likelihood of sharing the information in a way that would cause harm? (e.g. in the case of an accidental disclosure to unintended recipients)
    • Was the information exposed to individuals/entities who are unknown, or to a large number of individuals, where certain individuals might use or share the information in a way that would cause harm?
    • Is the information known to be exposed to entities/individuals who are likely to attempt to cause harm with it (e.g. information thieves)?
    • Has harm materialized (demonstration of misuse)?
    • Was the information lost, inappropriately accessed or stolen?
    • Has the personal information been recovered?
    • Is the personal information adequately encrypted, anonymized or otherwise not easily accessible?

PIPEDA breach report form

For use by private sector organizations reporting breaches of security safeguards to the Office of the Privacy Commissioner of Canada (OPC)

What is a breach of security safeguards (“breaches”)?

A “breach of security safeguards” is defined in the Personal Information Protection and Electronic Documents Act (PIPEDA) as: the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards that are referred to in clause 4.7 of Schedule 1 of PIPEDA, or from a failure to establish those safeguards.

Am I required to submit a report to the OPC if my organization has had a breach?

On June 18, 2015 the Digital Privacy Act was passed into law. This Act includes an amendment to PIPEDA requiring organizations to report breaches of security safeguards to the OPC involving personal information under their control where it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual. This requirement comes into effect as of November 1, 2018. Read our guidance for more information. The present form can be used by organizations that have experienced a breach to meet their legal obligations under PIPEDA and the Breach of Security Safeguards Regulations: SOR/2018-64.

I am an individual affected by a privacy breach - should I use this form?

Individuals who would like to make a complaint about a breach of their privacy by an organization should not use this form. Instead, please consult the Report a concern section of our website.

Should I include personal information in this form?

No. The form need not include personal information other than the business contact information of the person(s) at the organization that OPC can contact with any follow-up questions. For instance, the form should not include the names or other identifying details of affected individuals unless it’s necessary to explain the personal information involved. It is intended to provide information about the breach and nature of information.

How quickly after a breach should I submit this form?

Organizations must report a breach to the OPC as soon as feasible after the breach, even if not all information (e.g. the cause, or planned mitigation measures) is known or confirmed. You may add or correct information as it becomes available.

What can happen after a breach is reported to the OPC?

When the OPC becomes aware of a breach, we might seek more information from the organization involved and then work to identify and resolve any compliance issues with PIPEDA and mitigate any of the incident’s damaging effects.

How will the OPC handle information provided by organizations in a breach report?

The OPC generally has a duty to maintain the confidentiality of breach reports submitted to the Privacy Commissioner under PIPEDA. However, there are some exceptions to this obligation. For instance, the OPC may disclose information in a breach report to domestic and international counterparts in accordance with information-sharing agreements or arrangements; or to a government institution if the Commissioner has reasonable grounds to believe that the information could be useful in the investigation of a contravention of the laws of Canada or a province. He may also disclose information publicly where he believes it is in the public interest to do so.

Information provided to the OPC in a breach report could sometimes be used as the basis for initiating an investigation and in any ensuing investigation.

The Digital Privacy Act also amends the federal Access to Information Act (ATIA) to create a statutory exemption from the disclosure of any data breach report in response to access to information requests under the ATIA.

Where can I get more information on responding to a privacy breach?

Please see our office’s guidance entitled What you need to know about mandatory reporting of breaches of security safeguards.

PIPEDA breach report form

Throughout this form, * denotes mandatory fields as required by law. Other fields are optional.

Information of organization

* Legal name of the organization:

 

Address of organization:

 

* Contact information of a person who can answer, on behalf of the organization, OPC’s questions about the breach:

Name:
Title/position:
Address:
Telephone:
Email:

Breach description

* Number of individuals affected by the breach or, if unknown, the approximate number:

If possible, please also provide the total number of Canadians affected by the breach:

* When the breach occurred:

Please describe the day on which the breach occurred, or the period during which the breach occurred, including a date range, if applicable.[ insert a date range field here]

Type of breach:

[add drop down field with the following four options:

  1. unauthorized access by malicious or potentially malicious actor(s);
  2. accidental disclosure (e.g., misdirected communications or accidentally unsecured information);
  3. theft of physical devices or paper records containing personal information; or
  4. loss of physical devices or paper records containing personal information].

* Description of the circumstances of the breach, and, if known, the cause:

For example:

  1. how and why the breach occurred,
  2. when the breach was discovered,
  3. where the breach occurred,
  4. who may have had access to the personal information (to the extent known).

Description of relevant security safeguards in place at the time of the breach to prevent the type of incident that occurred:

 

* Description of the personal information that is the subject of the breach to the extent known:

Describe the type and nature of the personal information that was breached (for instance, name, phone number, email address, account number, social insurance number, etc.).

IMPORTANT: This section need not include any identifying information, unless it is necessary to explain the nature and the sensitivity of the information.

Notification

* Description of notification to affected individuals:

Have affected individuals been notified?

  • Yes
  • No

Date notification began (or is planned): [insert date field]
Date notification was completed: [insert date field]

Method of notification used for affected individuals:
[drop down with following options:

  1. Affected individuals notified directly;
  2. Affected individuals notified indirectly;
  3. Some individuals notified directly, some notified only indirectly; or
  4. Some or all affected individuals not notified.]

Describe the form of notification (e.g., directly by letter, email, telephone; indirectly via newspaper announcement, etc.):

IMPORTANT: Do not include any identifying personal information.

If possible, please provide a copy of the notification (or script of notification).

If you have chosen to notify indirectly, describe the rationale for doing so as well as the type of indirect notification used (i.e. how it was delivered to the target audience):

 

Risk Mitigation

* Description of any steps (apart from notification to affected individuals) taken by the organization to reduce the risk of harm to affected individuals, or to mitigate that harm:

For example, this can include:

  • taking steps such as resetting passwords, offering credit monitoring services where appropriate, recovering misdirected information, seeking confirmation from unintended recipients that they have destroyed and not circulated the information; and
  • notifying third parties or organizations that can reduce the risk of harm, such as the police, payment processors or credit card companies.

Description of any other organizations and/or government institutions notified about the breach not mentioned above (for example, professional bodies or other privacy commissioners’ offices):

Name of organization(s):

Date(s) notified:

Description of the steps taken to reduce the risk of a similar event occurring in the future:

For example:

  • An experienced IT security firm has been hired to review an organization’s security program and we are committed to making any recommended improvements.
  • All new contracts with web service providers will include the following quality control provisions:
    • a privacy training module has been developed and is now mandatory for all staff;
    • all laptops will be encrypted; and
    • software change management protocol has been updated, etc.

Please submit this form through one of the following means:

By email : notification@priv.gc.ca
(Should you wish to do so, you may send the breach report as an encrypted attachment, with password provided by separate means.)

By mail or by hand:
PIPEDA Breach Response Officer
Office of the Privacy Commissioner of Canada
30 Victoria Street, 1st Floor
Gatineau, QC K1A 1H3

Should you require additional information about breach reporting requirements under PIPEDA, please see our office’s guidance entitled What you need to know about mandatory reporting of breaches of security safeguards.

Report a problem or mistake on this page
Please select all that apply (required): Error 1: This field is required.

Note

Date modified: