PIPEDA's Breach Reporting Requirements Come into Effect on November 1, 2018

The federal requirements on privacy breach reporting has been finalized and will come into force on November 1, 2018.
Categories: Business Insights
Jun 6th, 2018 | By: CapriCMW

Canadians have long been anticipating the implementation of federal privacy breach reporting requirements. Originally passed on June 18, 2015, Bill S-4 - the Digital Privacy Act, included amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA). Most of the amendments are already in force with the exception of those pertaining to privacy breach reporting.  As of November 1, 2018, organizations hit by a privacy breach (that meets certain conditions) will be required to notify affected individuals and the Office of the Privacy Commissioner. 

According to the Act, organizations must report any breach where there is a "real risk of significant harm to the individual." The term "significant harm" is defined as "bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on (one’s) credit record and damage to or loss of property."

Notifying the Commissioner

Notice to the Commissioner must be in the form of a written report that includes: 

  • the circumstances and cause (if known) of the breach 
  • the day (or time period) the breach occurred
  • the personal information that was exposed
  • an estimate of the number of individuals affected
  • the steps the organization has taken to minimize the risk to affected individuals 
  • the steps the organization has taken (or will take) to notify affected individuals 
  • the name and contact information of the representative of the organization who will respond to inquiries on the breach
Notifying Affected Individuals

Notice to affected individuals must be delivered by email, letter, telephone or in person except in cases where the direct notification could cause further harm to affected individuals or undue hardship to the organization, or where current contact information for affected individuals is unavailable. Under these circumstances, the organization is permitted to provide indirect notification through public announcements or advertising. The notice must include: 

  • the circumstances of the breach
  • the day (or time period) the breach occurred
  • the personal information that was exposed
  • the steps that the organization has taken to minimize the risk to affected individuals
  • the steps that affected individuals can take to minimize the risk for themselves
  • contact information that affected individuals can use for further information about the breach
  • the organization’s internal complaint process and rights of affected individuals to file complaints with the Commissioner

In circumstances where notifying other organizations or government institutions could help minimize the risks to affected individuals of a breach, the organization is required to do so as well. 


For any privacy breach that occurs, regardless of whether or not notice is required, organizations must maintain records for 24 months from the date the breach is discovered. The Commissioner can request access to the breach records at any time to determine if the organization is complying with PIPEDA. Organizations will want to include as much evidence as possible of their compliance to avoid penalties.

Penalties for Violations

 Violations of the privacy breach reporting requirements could lead to fines of up to $100,000 for each violation. 

Leading up to the November 1 enforcement date, it is important for all organizations to:

  • conduct a thorough review of existing cybersecurity measures
  • enhance safeguards where necessary to protect personal information
  • implement formal, written policies and procedures for identifying and responding to breaches

For further details about the regulations, see the Government of Canada's release on the Breach of Security Safeguards Regulations.

Recent Blog Posts

Business Insurance / Construction, Real Estate, mass timber, sustainable housing
BC Proposes Building Code Changes to Allow 18-Storey Mass Timber Buildings

The provincial government has proposed changes to the British Columbia Building and Fire Codes (BC…

Dec 27th, 2023 | By: CapriCMW
Business Insurance / Small Business, SME, commercial property
Applications Open for BC's Securing Small Business Rebate Program

As of November 22, 2023, small businesses in BC can apply for a new provincial rebate to help them…

Dec 12th, 2023 | By: CapriCMW
Employee Benefits / employment law, employee benefts, pay transparency, pay equity
New Pay Disclosure Requirements Now in Effect for BC Employers

As of November 1, 2023, employers are required to include wage or salary ranges in job postings open…

Nov 16th, 2023 | By: CapriCMW
Search the Blog

Confidence and Freedom

At CapriCMW, we provide personalized insurance and custom risk solutions to give you the confidence and freedom to focus on what matters to you. Talk to an Advisor or get a quote today.

Get a Quote    Or call 1-800-670-1877

Can’t find what you are looking for? Ask us!