Mandatory Breach Reporting Starts November 1, 2018

The Government of Canada has set November 1, 2018 as the date on which the mandatory breach reporting and recordkeeping provisions of Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) will come into force.

The mandatory recordkeeping provisions require organizations to keep records of any loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards or security safeguards or as a result of a failure to implement safeguards that should have been implemented by the organization. If it would be reasonable to believe that the breach creates a real risk of significant harm to an affected individual, the breach must also be reported to the Office of the Privacy Commissioner of Canada and to the affected individual.

The Order in Council also set the coming into force of certain ancillary provisions, such as provisions to maintain the confidentiality of breach reports to the OPC and the right of an individual to make a compliant about the organization’s breach reporting.

See the Order in Council here.