PIPEDA breach reporting requirements

Info · Vol/mo CA ~200 (est) · KD 11 (est) · Quebec Law 25 & PIPEDA Compliance

In this guide & where to go next

Part of the Quebec Law 25 & PIPEDA Compliance series. Related: What Counts As Personal Information Pipeda Pipeda Requirements For Small Business

Want it handled? IT Cares — hands-on managed IT across Canada.

PIPEDA requires organizations to report any breach of security safeguards that poses a real risk of significant harm to an individual: you must notify the Office of the Privacy Commissioner of Canada (OPC) and affected individuals as soon as feasible, notify other organizations that can reduce the harm, and keep records of all breaches. These mandatory breach-reporting rules have been in force since November 2018 and carry penalties for non-compliance.

What triggers a reporting obligation

The reporting trigger under PIPEDA is a breach of security safeguards that creates a real risk of significant harm to an individual. Two concepts drive the analysis:

Breach of security safeguards: the loss of, unauthorized access to, or unauthorized disclosure of personal information resulting from a failure of safeguards or another cause.
Real risk of significant harm: assessed by weighing the sensitivity of the information and the probability it will be misused.

Significant harm includes bodily harm, humiliation, damage to reputation or relationships, loss of employment or business opportunities, financial loss, identity theft, and negative effects on credit. If a breach could plausibly lead to any of these, the reporting obligation is likely engaged, and the organization should move quickly to assess and respond.

Who you must notify and when

When a breach meets the real-risk-of-significant-harm threshold, PIPEDA requires several notifications, all to be made as soon as feasible after the organization concludes the breach has occurred:

The OPC: a report to the Privacy Commissioner describing the breach and the organization's response.
Affected individuals: direct notification where possible, with enough information for them to protect themselves.
Other organizations or institutions: such as a payment processor or law enforcement, where they can reduce the risk of harm.

The phrase as soon as feasible means there is no fixed number of days, but unreasonable delay is not acceptable. Organizations are expected to act promptly once they determine a reportable breach has taken place, which is why a prepared response process matters.

The record-keeping obligation

A frequently overlooked part of PIPEDA's breach rules is the requirement to keep records of every breach of security safeguards, not only those that are reported. This applies even when an organization concludes that a particular breach does not pose a real risk of significant harm.

The records must contain enough information for the OPC to verify that the organization has complied with its reporting obligations, and they must generally be retained for a set period. The Commissioner can request these records at any time. Maintaining a complete and accurate breach log is therefore a standalone legal duty, and failing to keep proper records is itself a potential offence, separate from any failure to report a specific breach.

Building a reliable breach-response process

Meeting these obligations under pressure requires preparation, because the assessment and notifications must happen quickly. The foundation is detection: you cannot report a breach you do not know about, so monitoring, logging, and endpoint protection are essential to surface incidents in the first place.

Beyond detection, a reliable process includes a written response plan that defines who assesses real risk of significant harm, who drafts the OPC report, how affected individuals are notified, and how the breach log is updated. Rehearsing this plan keeps the team from improvising during a real event. A managed IT and cybersecurity partner can supply the monitoring and detection layer and help maintain the response plan and records, so that when a breach occurs, your organization can assess it, notify the OPC and individuals as soon as feasible, and document everything as PIPEDA requires.

FAQ

When did PIPEDA breach reporting become mandatory?

Mandatory breach reporting under PIPEDA came into force on November 1, 2018. Since then, organizations have been required to report breaches of security safeguards that pose a real risk of significant harm to the OPC and affected individuals, and to keep records of all breaches of security safeguards.

How quickly must a breach be reported under PIPEDA?

PIPEDA requires reporting as soon as feasible after the organization determines that a breach of security safeguards posing a real risk of significant harm has occurred. There is no fixed deadline in days, but unreasonable delay is not acceptable, so prompt assessment and notification are expected.

What happens if we fail to report a breach?

Knowingly failing to report a qualifying breach to the OPC, failing to notify affected individuals, or failing to keep breach records can be an offence under PIPEDA and may carry fines. Beyond penalties, unreported breaches expose the organization to greater civil and reputational risk if they later come to light.

Get expert help

Talk to IT Cares →