On May 24, 2024, the Office of the Information and Privacy Commissioner of Canada (“Privacy Commissioner”) released updated guidance on data breach reporting for federal government institutions and businesses. The update includes a new online breach reporting form for federal government institutions under the Privacy Act, R.S.C. 1985, c. P-21 (the “Privacy Act”) and revision of the existing form for private businesses governed by the Personal Information Protection and Electronic Documents Act, S.C. 2000, c.5 (“PIPEDA”). These updates aim to streamline and enhance the reporting process and allow businesses to update existing reports.

1. Privacy Breach Reporting Requirements

A privacy breach occurs when personal information is lost, accessed without authorization, or disclosed improperly. Breaches often happen when personal information is stolen, lost, or mistakenly shared. Depending on the circumstances, federal government institutions subject to the Privacy Act and private businesses governed by PIPEDA may need to report privacy breaches to the Privacy Commissioner. Reporting privacy breaches helps alert officials to incidents and emerging issues, enabling them to be addressed and managed appropriately.

2. Private Businesses Under PIPEDA

PIPEDA requires private businesses to report any breach involving personal information under its control if it is reasonable to believe a material breach occurred, regardless of how many people are affected. “Material breaches” are those that could reasonably be expected to pose a “real risk of significant harm” to an individual. Significant harm includes things like humiliation, bodily harm, damage to reputation or relationships, loss of employment or business, identity theft, negative effects on credit records, and damage to or loss of property. Relevant factors in determining whether a data breach implicates a real risk of significant harm include the sensitivity of the personal information involved and the probability of its misuse. Once a breach has been discovered and reported, organizations must notify any affected individuals when a breach poses a real risk of significant harm.

The new Privacy Commissioner Online Breach Reporting Forms facilitate the submission of new privacy breach reports and related documents and allow businesses to add documents to existing breach reports. However, organizations can still report a breach to the Privacy Commissioner in any format, provided it includes all necessary information. As such, organizations can still submit a breach report using the PIPEDA breach report form, available in PDF format.

3. Federal Government Institutions Under Privacy Act

The Privacy Breach Action Plan, originally initiated in July 2019, was designed to enhance privacy breach management across the government. As part of this initiative, the Privacy Commissioner and the federal government’s Treasury Board Secretariat (“TBS”) jointly developed the Privacy Act Material Privacy Breach PDF forms. The new Privacy Commissioner Online Breach Reporting Forms are designed to mirror and be equivalent to the former PDF forms, ensuring that all required information is reported under the Directive on Privacy Practices.

By using the online form, federal government institutions can fulfill their obligation to report any privacy breach involving sensitive personal information that could reasonably be expected to cause harm or injury to the individual (i.e. a material privacy breach) to both the Privacy Commissioner and TBS. Data entered into the online form will be automatically sent to both TBS and the Privacy Commissioner, and a copy of the report, including the Privacy Commissioner’s file number, will be sent to the reporting institution.

Federal government institutions can also use the online form and their Privacy Commissioner Office’s file number to provide timely updates on previously reported breaches. Any new or updated information will be automatically added to the breach record in the Privacy Commissioner’s Office and TBS systems.

As outlined in section 4.2.8 of the Policy on Privacy Protection, federal government institutions subject to the Privacy Act must notify the Privacy Commissioner and TBS of all material privacy breaches no later than 7 days after an institution determines a breach is material. Before making a report, institutions are also required to take steps to contain, assess, and mitigate the breach. The Directive on Privacy Practices, Appendix B: Mandatory Procedures for Privacy Breaches details how institutions must meet their obligations, including the reporting of material privacy breaches. Federal government institutions must inform the Privacy Commissioner of the steps taken to mitigate the impact of a breach when it involves sensitive personal information and is reasonably expected to pose a real risk of significant harm to the individual.

The new Privacy Commissioner Online Breach Reporting Forms are designed to provide officials with consistent data to analyze privacy breaches and make necessary updates to the privacy policy suite by streamlining the breach reporting process, allowing them to enter, review, and edit all relevant details online. The completed report can then be submitted simultaneously to both the Privacy Commissioner and the TBS, with an option to download a copy for their records. Alternatively, a breach report can still be submitted using the Privacy Act Material Breach Report Form, available in PDF format.