It has been 10 years.
From IAB Canada:
As anticipated, the Office of the Privacy Commissioner of Canada (OPC) clarified where obligation lies in reporting a data breach, while personal information is resting with a third-party processor. Developed to assist organizations in meeting their breach reporting and record-keeping obligations under PIPEDA’s mandatory breach reporting regime, this come into full force on November 1, 2018.
This critical piece of PIPEDA legislation impacts virtually all IAB Canada members and we strongly recommend you review these final guidelines with your internal privacy compliance officer and all members of the organization dealing directly with data management and processing. We also recommend that you discuss this will your media partners to ensure these new guidelines are fully understood.
The principal organization retains control of personal data, throughout the entire process, and therefore retains accountability and the responsibility for reporting a breach.
To summarize, the OPC reinforces that the principal organization bears the responsibility in reporting the breach. As they have control of the personal information it is therefore their responsibility to report a violation.
IAB Canada would like to stress the importance of maintaining a secured partner strategy. It is more important than ever to ensure that you have trusted vendors who are in full compliance of PIPEDA regulation. We strongly recommend that this is reflected in your agreements and that you revisit any existing contracts to revise as necessary.