Skip Links

Canada’s Mandatory Breach Notification and Reporting Rules Now in Effect

November 7, 2018

Bev Cleveland, AVP, Compliance & Senior Legal Counsel, Canadian Credit Union Association

On November 1, 2018, new provisions in the Personal Information Protection and Electronic Documents Act (PIPEDA) related to breach of security safeguards came into force along with Breach of Security Safeguards Regulations.

A breach of security safeguards is defined in PIPEDA as “the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization's security safeguards ... or from a failure to establish those safeguards”.

Credit unions subject to PIPEDA will be required to keep a record of all breaches and when a breach poses a real risk of significant harm, sometimes called the ‘RROSH’ test, they are required to:

  • Notify the affected individual(s);
  • Report the breach to the Privacy Commissioner;
  • Inform organizations who may be able to reduce the risk of harm.
The Office of the Privacy Commissioner of Canada has recently released a Guidance on the new breach reporting rules, an overview of what organizations need to know about their obligations.

The Canadian Credit Union Association’s recorded webinars Privacy Breach Ready? Key Strategies for an Effective Breach Response Plan, and Federal Privacy Commissioner Guidelines: Revisiting your Data Collection Practices provide a comprehensive review of the new breach reporting rules and can be found at (member login required).

Please contact Bev Cleveland or Brenda King if you have any questions.