PIPEDA’s New Mandatory Data Breach Reporting Rules: What Clinics in Canada Need to Know

On November 1, 2018, significant changes to Canada’s PIPEDA regulations came into effect. However, if you’re like most Canadian businesses, you may be wondering…What is PIPEDA? What has changed? And why should I care?In this short article, we will provide everything you need to know to keep yourself, and your clinic, informed.


In Canada, all businesses that collect, use, and disclose personal information must comply with the regulations outlined by the Personal Information Protection and Electronic Documents Act (PIPEDA). In other words, as a healthcare professional that manages patient data, PIPEDA applies.

What’s changed?

As of November 1, 2018, new PIPEDA requirements came into effect. The most significant change being the new mandatory breach reporting requirements. The new notification requirement follows a three-pronged approach. All breaches of security safeguards involving personal information that pose a real risk of significant harm to individuals will be required to:

  • – report to the Privacy Commissioner of Canada,
  • – notify affected individuals about those breaches, and
  • – keep records of all breaches.

A comprehensive overview of the changes to PIPEDA is available from the Office of the Privacy Commissioner of Canada.

What is a breach of security safeguards?

The Office of the Privacy Commissioner of Canada defines a breach of security safeguards in PIPEDA as: “the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards that are referred to in clause 4.7 of Schedule 1 of PIPEDA, or from a failure to establish those safeguards.”

Why should I care?

Failing to comply with PIPEDA’s reporting, notification and record-keeping requirements relating to breaches of security safeguards can lead to significant fines, downtime in clinic productivity, and reputation damages that can sabotage clinic viability. As cyber-attacks targeting healthcare become more sophisticated, now, more than ever, it’s critical that healthcare professionals protect their practice with necessary safety measures, and policies and procedures that detect, escalate and respond to privacy breach incidents. Whether you’re looking for support in developing a robust incident response plan or need guidance on how to train your employees on PIPEDA requirements, Brightsquid can help. Ask us about our PIPEDA Compliance Support Services today.