As anticipated, the Office of the Privacy Commissioner of Canada (OPC) clarified where obligation lies in reporting a data breach, while personal information is resting with a third-party processor. Developed to assist organizations in meeting their breach reporting and record-keeping obligations under PIPEDA’s mandatory breach reporting regime, this come into full force on November 1, 2018.

This critical piece of PIPEDA legislation impacts virtually all IAB Canada members and we strongly recommend you review these final guidelines with your internal privacy compliance officer and all members of the organization dealing directly with data management and processing. We also recommend that you discuss this will your media partners to ensure these new guidelines are fully understood.

The principal organization retains control of personal data, throughout the entire process, and therefore retains accountability and the responsibility for reporting a breach.

To summarize, the OPC reinforces that the principal organization bears the responsibility in reporting the breach. As they have control of the personal information it is therefore their responsibility to report a violation.

To quote the guidelines:

The Act requires an organization to report a breach involving personal information under its control. Therefore, the obligation to report the breach rests with an organization in control of the personal information implicated in the breach”

The OPC then goes on to address the questions of responsibility and control once personal information has been transferred to a third party:

In this regard, we note that PIPEDA’S accountability principle provides that an organization remains responsible for the personal information it has transferred to a third party for processing. In addition, we have heard from many stakeholders that requiring both the principal organization and the processor to report the breach would be largely inconsistent with existing business practices and raise various operational concerns”

IAB Canada would like to stress the importance of maintaining a secured partner strategy. It is more important than ever to ensure that you have trusted vendors who are in full compliance of PIPEDA regulation. We strongly recommend that this is reflected in your agreements and that you revisit any existing contracts to revise as necessary.

Our Policy & Regulatory Affairs Committee will be monitoring this matter and we will provide any updates as they become available. If you or anyone in your organization have any interest in applying for the Policy & Regulatory Committee, please contact