Skip to Content

Client Update: It’s here now! Breach reporting for Canadian businesses under PIPEDA

Rob Aske

You likely heard rumblings over the spring and summer, but now it’s here. Canada’s federal privacy law known by the acronym PIPEDA (Personal Information Protection and Electronic Documents Act) adds privacy breach reporting as of November 1, 2018.

The gist of the breach reporting obligations is as follows:

A business will be required to report to the Privacy Commissioner a breach involving personal information (“PI”) under its control (including with a service provider) if it is reasonable to believe that the breach creates a real risk of significant harm to the individual. (The Privacy Commissioner notes that it does not matter if it is one or thousands of affected persons).

Significant harm is defined to include humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on credit record, and damage to or loss of property.

Factors relevant to the real risk of significant harm include sensitivity of the PI, and the probability that it may be misused.

The report to the Commissioner would need to describe the breach, when it occurred, the PI that is subject, the estimated number of individuals affected, and the steps that the organization is taking in response.

Your business would also need to notify individuals whose PI is involved, if that breach creates a real risk of significant harm to the individual.

The notice to the individual would need to describe the breach, when it occurred, the PI affected, the steps the organization is taking, plus information about the business’ complaints process and the individual’s rights under PIPEDA.

The business could be obliged to notify other organizations or government if the business believes that these other bodies may be able to reduce the risk of harm.

Reports must be made “as soon as feasible after the breach”. The express goal is in part to reduce risks of harm, so reports may need to be made well before the full story of the breach is known.

Another big change with this new legislation is that businesses shall be obliged to keep and maintain records of EVERY breach of security safeguards involving PI; i.e. whether or not it meets any particular harm test. In addition, businesses must, on request, provide the Commissioner with access to copies of these records. (So businesses will be obliged to maintain records which will help the Commissioner and any claimant build a case against the business.)

The regulations require records of breach to be maintained for 24 months after the date that the business determined that the breach occurred. In addition, these records must enable the Commissioner to verify compliance with the business’ reporting obligations to the Commissioner and to individuals, if there has been a breach which creates a real risk of significant harm.

Any breach of these obligations may result in the business being charged with an offence, which could result in a fine not exceeding $100,000.

The obligation to report privacy breaches is not new to many jurisdictions, but will be new to much of Canada, and compels every business to sharpen their privacy practices – because going public with a breach can make the impact a much larger mess.

You can find the federal Privacy Commissioner’s Guidelines on reporting breaches here.


This update is intended for general information only. If you have questions about the above information, please contact Rob Aske, or a member of our information technology, internet and privacy group.

Archive

Relief (potentially) in sight – The availability of remission under the Canadian retaliatory tariff regime (Part III)

BY Michelle Chai

By Michelle Chai In Parts I and II of this series, we discussed the remission guidelines and template for submissions published by the Department of Finance Canada (the “Guidelines”) for those…

Read More

Relief (potentially) in sight – The availability of remission under the Canadian retaliatory tariff regime (Part II)

BY Michelle Chai

By Michelle Chai In Part I of this series, we discussed the industries and goods eligible for remission.  In Parts II and III, we attempt to provide a framework for importers…

Read More

Relief (potentially) in sight – The availability of remission under the Canadian retaliatory tariff regime (Part I)

BY Michelle Chai

By Michelle Chai Government has implemented some processes which they hope will provide Canadian businesses and importers with some much-needed relief.  Update: An earlier version of this article was published before…

Read More

Newfoundland and Labrador Court of Appeal sends tort of “Intrusion Upon Seclusion” back into seclusion: Mount Pearl (City) v. Power, 2025 NLCA 16

BY Joe Thorne & Danielle Harris

By Joe Thorne and Danielle Harris After a brief two years of recognition in this province of a common law claim for breach of privacy, it seems its time has…

Read More

Preparing for Canada’s “Modern Slavery Act”: reporting deadline May 31

By Colleen Keyes, K.C., Christine Pound, ICD.D, and Harper Metler The 2024 reports under the Fighting Against Forced Labour and Child Labour in Supply Chains Act (the “Act”) are due…

Read More

New harassment prevention obligations for Nova Scotia employers

By Sean Kelly, Katharine Mack and Tiegan Scott Effective September 1, 2025, amendments to the Occupational Health and Safety Act passed last year will require employers in Nova Scotia to…

Read More

Non-disclosure agreements: A sword or a shield?

Murray L. Murphy, K.C., CPHR, Katharine Mack and Kate Profit Non-Disclosure Agreements (“NDAs”), legal contracts in which the parties agree to keep information outlined in the agreement strictly confidential, have been the subject…

Read More

What are deceptive design patterns (DDPs)?

Charlotte Henderson and Kaitlyn Clarke Interested in understanding the impacts of AI on your business? Looking to understand how these intersect with concerns around privacy? Curious about the impacts of…

Read More

Effectively identifying and navigating subtle discrimination: A must-do list for employers

By Lynn Iding, CPHR, CCIP and Sheila Mecking Interested in understanding the impacts of subtle discrimination on your business? Curious about the latest legal developments in racial discrimination? Looking to…

Read More

Summary of Bill 14 – Act to Amend the Fair Registration Practices in Regulated Professions Act

By Sheila Mecking and Danielle Bailey-Heelan On March 25, 2025, Bill 14 was introduced by the Acting Minister of Post-Secondary Education, Training and Labour to amend the Fair Registration Practices…

Read More

Search Archive