Language selection


News release

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

New data breach reporting requirements come into force this week

GATINEAU, QC, October 29, 2018 – Businesses have new obligations under breach of security safeguards rules coming into force this week, says the federal Privacy Commissioner.

Changes to Canada’s federal private sector privacy law will require organizations to report certain breaches of security safeguards to the Commissioner’s office and to notify those affected.

“The number and frequency of significant data breaches over the past few years have proven there’s a clear need for mandatory reporting,” says Commissioner Daniel Therrien. “Mandatory breach reporting and notification will create an incentive for organizations to take security more seriously and bring enhanced transparency and accountability to how organizations manage personal information.”

The Office of the Privacy Commissioner of Canada has published guidance to help businesses comply with the new requirements as well as a new reporting form.

The final version of the guidance was developed following a public consultation. The Commissioner’s office received 20 submissions from various sectors on a draft version of the guidance. The Commissioner thanks those who provided their feedback.

Under the new regulations for organizations subject to the Personal Information Protection and Electronic Documents Act, which come into force November 1, organizations must:

  • Report to the Privacy Commissioner’s office any breach of security safeguards where it creates a “real risk of significant harm;”
  • Notify individuals affected by a breach of security safeguards where there is a real risk of significant harm;
  • Keep records of all breaches of security safeguards that affect the personal information under their control; and
  • Keep those records for two years.

Commissioner Therrien called the regulations “imperfect but a step in the right direction.”

He has raised concerns that the reporting requirements fall short in that, for example, they don’t ensure that breach reports to his office provide the information necessary to assess the quality of organizations’ safeguards. As well, the government has not provided the Privacy Commissioner’s office with resources to analyze breach reports, provide advice and verify compliance. As a result, the office’s work will be somewhat superficial and the regime will be less effective in protecting privacy.

About the Privacy Commissioner of Canada

The Privacy Commissioner of Canada is mandated by Parliament to act as a guardian of privacy in Canada. The Commissioner enforces two laws for the protection of personal information: the Privacy Act, which applies to the federal public sector; and the Personal Information Protection and Electronic Documents Act, Canada’s federal private sector privacy law.

- 30 -

For more information, please contact:

Office of the Privacy Commissioner of Canada

Date modified: