Canada’s OPC Shares Insights One Year Into Mandatory Breach Reporting
breach reporting | Personal Information | PIPEDA | security safeguards

By Michelle Johnston, CIPM, CIPP/US – Compliance Privacy Officer at CSR Privacy Solutions, Inc.

Businesses subject to Personal Information Protection and Electronic Documents Act (PIPEDA) are required to report any breach of security safeguards involving personal information that pose a risk of significant harm to the Office of the Privacy Commissioner of Canada (OPC).

In addition to the requirement to report breaches of security safeguards, businesses must keep and maintain, for a minimum of two years, a record of every breach of security safeguards involving personal information in its possession.  The OPC has the authority to proactively inspect these records.

The OPC’s analysis resulting from the past year’s mandatory breach reporting revealed that 58% of reported breaches involved unauthorized access.  One in five data breaches involved accidental disclosure — documents containing personal information were provided to the wrong individual.

Some challenges faced by Canadian businesses resulted from third parties collecting personal information on their behalf without appropriate safeguards, and employees who were not aware of privacy risks and their privacy responsibilities.  Each of these scenarios lead to a breach.

The OPC provided tips to reduce privacy breach risks, such as:

  • Pay attention to alerts and other information from your industry association and other sources of industry news. Attackers will often re-use the same attacks against multiple organizations.
  • Inventory your data and maintain the confidentiality, integrity and availability of your “at rest” and “in transit” data.
  • Monitor your third parties. Know if your third parties are collecting personal information on your behalf and without appropriate safeguards.
  • Train your employees to recognize privacy risks and know their privacy responsibilities.
  • Conduct risk assessments of your system and processes.

These details and more information on this topic can be found at OPC’s website at https://www.priv.gc.ca/en/blog via their published blog.

CSR Privacy Solutions, Inc. can ease the tension small to medium size businesses (SMB) may feel with implementing and keeping up to date with necessary policies and procedures. It is literally privacy made simple with focus on risk awareness, avoidance and evaluation.  CSR Readiness® Pro is an award-winning bundle of privacy solutions that businesses use to mitigate the risk of data breach and consequences related to non-compliance associated with the handling of legally protected personal information.

CSR Readiness delivers a PROACTIVE solution, enabling small to medium size businesses (SMB) to assess their privacy systems and safeguards and presents them with suggested improvements for areas the program identifies as deficient. Many companies may still suffer a data breach – when this happens, Breach Reporting Service is the REACTIVE solution that provides privacy reporting for the SMB community. CSR-V3 is an automated vendor privacy risk reduction tool which documents your vendor management, verification and validation due diligence.

Contact CSR




I understand CSR will use this information for the purpose of responding to my query or request. I have reviewed their Privacy Policy. I understand I can withdraw consent or make a Data Access Request at any time.