PIPEDA mandatory breach reporting (in force Nov 1, 2018): report RROSH breaches to OPC + notify affected individuals + KEEP RECORDS OF ALL BREACHES for 24 months
Summary
Claim: PIPEDA mandatory breach reporting (in force since November 1, 2018):
- Report breaches posing a "real risk of significant harm" (RROSH) to the Office of the Privacy Commissioner (OPC).
- Notify affected individuals.
- Keep records of ALL breaches (RROSH or not) for 24 months.
Source: https://www.priv.gc.ca/.../gd_pb_201810 ; iapp.org ; lexisnexis.com
Confidence: Verified.
Why this matters for Candid: The 24-month record-keeping requirement applies to every breach, even ones that don't hit the RROSH threshold. This is a recurring operational obligation, not a one-time task — see R4 — Treat data custody as a project line item, not a footnote: PIPEDA consent + MFA + encryption + breach response plan + 24-month breach records all live in scope before launch. Same maintenance-discipline argument as the data brief's R5 — Budget for pipeline maintenance from day one; if the client can't commit to upkeep, rent the managed version instead of building one.
Related entries
Referenced by (4)
- reference Research brief: client portals for SMBs — the honest case (June 2026) relates-to
- reference PIPEDA penalties — up to CAD $100,000 per violation for knowingly failing to report, notify, or maintain breach records; OPC can refer to AG depends-on
- reference IBM/Ponemon Cost of a Data Breach (Jul 30, 2024; 604 orgs; Mar 2023-Feb 2024): Canadian average CA$6.32M (down from CA$6.94M in 2023); 2025 figure ~CA$6.98M per separate edition relates-to
- rule R4 — Treat data custody as a project line item, not a footnote: PIPEDA consent + MFA + encryption + breach response plan + 24-month breach records all live in scope before launch depends-on