Are you collecting, using or disclosing personal information (PI) of Canadian residents in the course of commercial activities? If so, you may be subject to Canada’s Breach of Security Safeguards Regulations (Regulations), under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). Under the Regulations, which went into effect on November 1, 2018, organizations that are subject to PIPEDA are required to report security breaches involving PI that “pose a real risk of significant harm,” notify affected individuals of the breach, and maintain records of every breach, reported or not, for at least two years. Businesses that fail to comply with the Regulations may be subject to fines of up to CA$100,000 per offense.

Canada’s Office of the Privacy Commissioner recently released its final guidance (Guidance) on how companies can meet the reporting, notice, and recordkeeping requirements under the Regulations, providing some important clarifications. For instance, the Guidance clarifies that the organization in control of the PI implicated in breach is responsible for reporting the breach; also, where PI has been transferred to a third party for processing, the “principal organization” will remain responsible for any breach that arises with said third-party processor. Notwithstanding, the Guidance recognizes that such determinations need to be made on a case-by-case basis. Hence, the Guidance encourages the principal organization to have sufficient contractual arrangements in place with its processors to address compliance with the Regulations.