As of November 1, organizations subject to PIPEDA will be required to notify the OPC and affected individuals of “a breach of security safeguards” involving personal information under the organization’s control where it is reasonable in the circumstances to believe that the breach creates a “real risk of significant harm” to affected individuals. Other organizations and government institutions must also be notified if they may be able to mitigate or reduce the risk of harm to affected individuals. Organizations must also keep and maintain records of all breaches of security safeguards regardless of whether they meet the harm threshold for reporting.

Failure to report a breach or maintain records as required is an offence under PIPEDA, punishable by a fine of up to C$100,000.

The OPC’s guidance provides direction to organizations on how to assess whether a particular breach creates a “real risk of significant harm”, outlines the OPC’s minimum expectations for breach records, and provides a breach report form that organizations may use to report a breach to the OPC.

The final guidance also clarifies that the organization in “control” of personal information is responsible for complying with PIPEDA’s reporting and record-keeping requirements and that an organization acting only as a service provider to the controlling organization is not subject to these requirements. This is an improvement over the draft guidance, which suggested that both organizations would be required to file a report with the OPC, which is inconsistent with the wording of the statute and existing business practices.