The Federal Government has set November 1, 2018 as the date on which certain sections of the Digital Privacy Act will come into effect. This Act amended the Personal Information Protection and Electronic Documents Act ("PIPEDA").

On the same date, the new Breach of Security Safeguards Regulations will also come into effect. The Regulations, in particular, impose significant new obligations on organizations, and steps should be taken to ensure that companies are ready for November 1, 2018.

PIPEDA is federal legislation that applies to organizations throughout Canada, save for those in provinces that have implemented substantially similar requirements. Currently, PIPEDA governs the use and disclosure of personal information in all provinces other than Alberta and Quebec. It also applies to some organizations in British Columbia.

The most significant changes relate to mandatory reporting of data breaches. Below is a brief run-down of the key changes, and how organizations can begin to get ready.

Report to the Privacy Commissioner

Under the new Regulations, an organization that experiences a privacy breach that poses a "real risk of significant harm" to an individual must report the breach to the Federal Privacy Commissioner. Reporting must be done as soon as feasible, and must be in writing.

Some guidance has been provided on what constitutes a "real risk of significant harm." An incident should be considered to pose such a risk if it includes:

  • bodily harm
  • humiliation
  • damage to reputation or relationships
  • loss of employment or professional opportunities
  • financial loss
  • identity theft
  • negative effects on the credit record
  • damage to or loss of property

In the event that an organization deems a breach to pose such a risk, then a report to the Commissioner must include at least the following:

  • the circumstances of the breach
  • the cause, if determined at the time
  • the personal information that was the subject of the breach
  • the date or period of time of the breach

Notice to Affected Individual(s)

In addition to reporting requirements to the Commissioner, the new Regulations mandate that organizations notify individuals affected by the breach. Such notification must be made in person, or by email or telephone, unless it would be prohibitively expensive to do so, the organization does not have the affected individual's contact information, or contacting the affected individual would cause further harm.

In terms of the content of such notice, organizations are required to provide at least the following:

  • the circumstances of the breach
  • what information was exposed as part of the breach
  • the date or period of time of the breach
  • the steps taken by the organization to reduce the risk of harm resulting from the breach
  • the steps that the affected individual can take herself to reduce the harm resulting from the breach
  • a toll-free telephone number and/or email address that the affected individual can access to obtain further information about the breach
  • details of the organization's internal complaint process and the affected individual's rights relating to filing a formal complaint with the Commissioner


In addition to requirements related to reporting, the new Regulations impose on organizations an obligation to retain records of any and all breaches for a period of at least two years following the date of a breach.

The new Regulations have teeth as well, granting the Commissioner the right to compel such records, and the discretion to impose a fine of up to $100,000 on organizations that knowingly fail to abide by the above reporting requirements.

Notice to Other Organizations

The new Regulations require that an organization which is the subject of a breach with real risk of significant harm may also be required to advise government entities or other organizations of the breach, if the organization believes that doing so would reduce the risk of harm from the breach. The new Regulations provide no further clarity on the content of such notice.

Are You Ready?

Given the ever-increasing focus in the media on the misuse of individuals' data and information, there is every reason to believe that the new data breach notification obligations will be taken seriously.

In addition to having in place the necessary policies and procedures within an organization for the collection and retention of records relating to breaches, companies would be wise to train their staff on the identification and timely reporting of breaches.

There may be room to debate whether specific breaches are likely to cause a real risk of significant harm, but it can be assumed that there will be little sympathy afforded those organizations that do not plan properly and do not have in place the proper policies and training by November 1, 2018.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.