Privacy Implementation Notice 2024-02: Use of the Office of the Privacy Commissioner’s Online Breach Reporting Form

1. Effective date

This implementation notice takes effect on July 8, 2025. It replaces the notice published on January 27, 2025.

2. Authorities

This implementation notice is issued pursuant to paragraph 71(1)(d) of the Privacy Act.

3. Purpose

This implementation notice is meant to encourage institutions to use the Office of the Privacy Commissioner of Canada’s (OPC’s) Online Breach Reporting Form to meet their obligation to report material privacy breaches to the OPC and the Treasury Board of Canada Secretariat (TBS).

4. Context

Federal institutions subject to the Privacy Act are required to notify the OPC and TBS of all material privacy breaches under section 4.2.12 of the Policy on Privacy Protection.

Institutions must report material privacy breaches after making efforts to contain, assess and mitigate the breach, and no later than seven days after the institution determines the breach is material. The Directive on Privacy Practices, Appendix B: Mandatory Procedures for Privacy Breaches, prescribes how institutions must fulfill their obligations, including reporting of material privacy breaches.

The Privacy Breach Action Plan was launched in July 2019 to strengthen privacy breach management across government. As part of that plan, the OPC and TBS collaborated on the development of the Privacy Act Material Privacy Breach Form. In March 2024, the Directive on Privacy Practices was updated to prescribe the use of this PDF form. The update also expanded what information is to be included in breach reports. The OPC Online Breach Reporting Form mirrors and is equivalent to the PDF form.

Reporting breaches alerts officials to incidents and emerging issues so that they can be addressed and managed appropriately. The new forms have been designed to provide officials with consistent data to analyze privacy breaches and make any necessary updates to the privacy policy suite.

5. Guidance

Federal institutions are strongly encouraged to use the OPC’s Online Breach Reporting Form as the preferred method for submitting material privacy breach reports to TBS and the OPC. While not mandatory, this method is highly recommended for its efficiency and effectiveness. The exception may be when the portal cannot be used due to the need to include documents above Protected B. Using the online form is considered the equivalent of using TBS’s Privacy Act Material Privacy Breach form prescribed by B.2.4.5.1 of the Directive on Privacy Practices. The online form mirrors the structure and content of the prescribed PDF form, covering all the information that institutions must report under the Directive on Privacy Practices.

Using the online form will help institutions meet their obligation to adequately report any privacy breach that could reasonably be expected to create a real risk of significant harm to an individual (that is, a material privacy breach) to the OPC and TBS.

Data inputted through the online form will be automatically sent to both TBS and the OPC. A copy of the report will also be sent to the reporting institution with the OPC file number.

Institutions can also use the online form and their OPC file number to provide timely updates on a previously reported breach. The new or updated information will be automatically added to the breach record in the OPC and TBS systems.

For more information on how to respond to privacy breaches and mitigate their risks, institutions should refer to the Privacy Breach Management Toolkit, which provides tools and guidance on privacy breach management in four phases.

6. Application

This implementation notice applies to the government institutions as defined in section 3 of the Privacy Act, including parent Crown corporations and any wholly owned subsidiary of these corporations.

7. References

Legislation

• Privacy Act

Related Treasury Board policy instruments

• Directive on Privacy Practices
• Directive on Security Management
• Policy on Government Security
• Policy on Privacy Protection
• Privacy Breach Management Toolkit

8. Enquiries

Members of the public may contact Treasury Board of Canada Secretariat Public Enquiries at publicenquiries-demandesderenseignement@tbs-sct.gc.ca for information about this implementation notice.

Employees of federal institutions may contact their Access to Information and Privacy (ATIP) coordinator for information about this implementation notice.

ATIP coordinators may contact the Treasury Board of Canada Secretariat’s Privacy and Responsible Data Division at ippd-dpiprp@tbs-sct.gc.ca for information about this implementation notice.