What is PIPEDA Section 4.7?

Section 4.7 of the Personal Information Protection and Electronic Documents Act (PIPEDA) is the safeguards principle. It requires organizations to protect personal information through security safeguards appropriate to the sensitivity of the information. Combined with the Breach of Security Safeguards Regulations (in force since 2018), Section 4.7 establishes the regulatory framework that triggers mandatory breach notification when there is a real risk of significant harm to affected individuals.

What does real risk of significant harm mean under PIPEDA?

Real risk of significant harm (RROSH) is the legal threshold that triggers mandatory breach notification under PIPEDA. Significant harm includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on credit record plus damage to or loss of property. The risk is real when the probability of significant harm occurring is more than minimal. Relevant factors include the sensitivity of the personal information plus the probability the information has been or will be misused.

When does the 72-hour breach notification clock start under PIPEDA?

PIPEDA does not impose a specific 72-hour deadline. The Breach of Security Safeguards Regulations require notification to the Privacy Commissioner of Canada and to affected individuals as soon as feasible after the organization determines that the breach poses a real risk of significant harm. The 72-hour benchmark is the European GDPR Article 33 standard, which many Canadian organizations adopt as best practice. The PIPEDA standard is timeliness measured against the organization's ability to assess RROSH plus prepare a meaningful notification.

PIPEDA Real Risk of Significant Harm: Section 4.7 Breach Notification Threshold

TL;DR: If a security breach creates a real risk of significant harm to an individual, PIPEDA requires you to notify the Privacy Commissioner of Canada plus the affected individual as soon as feasible. The threshold is statutory: probability the data has been or will be misused, weighed against the sensitivity of the data. Sherlock provides forensic triage that produces the evidence record an organization needs to make the RROSH determination defensibly.

What PIPEDA Section 4.7 Actually Says

Section 4.7 of the Personal Information Protection and Electronic Documents Act is the safeguards principle in Schedule 1 to PIPEDA. The principle states that personal information shall be protected by security safeguards appropriate to the sensitivity of the information. The statute language is general; the operational implementation comes from the Breach of Security Safeguards Regulations, which entered into force on 1 November 2018.

The Regulations define the trigger condition for mandatory notification: a breach of security safeguards involving personal information under the organization's control plus a real risk of significant harm to an individual. Both conditions must be satisfied. A breach with no RROSH does not trigger notification (though record-keeping is still mandatory). RROSH without a confirmed breach is not yet a trigger.

The notification has two recipients: the Privacy Commissioner of Canada plus the affected individuals. The Regulations also require record-keeping for every breach (whether reportable or not) for at least 24 months following the determination that the breach occurred. The record must be available for inspection on request from the Privacy Commissioner.

The Significant Harm Enumeration

PIPEDA enumerates what counts as significant harm. The list is statutory plus inclusive rather than exhaustive, but the enumerated categories are the floor of what an organization must consider:

Bodily harm
Humiliation
Damage to reputation or relationships
Loss of employment, business or professional opportunities
Financial loss
Identity theft
Negative effects on credit record
Damage to or loss of property

The "real risk" language is where most operational disputes happen. The Regulations specify that real risk is assessed against the probability the personal information has been, is being or will be misused plus the sensitivity of the personal information. Sensitivity is contextual. Financial information is sensitive when paired with name plus address; the same financial information without identifiers may not be. Health information is sensitive almost regardless of context. Login credentials are sensitive because they enable unauthorized access regardless of the data the credentials protect.

How the Privacy Commissioner Interprets the Threshold

The Office of the Privacy Commissioner of Canada (OPC) publishes investigative findings that interpret the RROSH threshold in specific incidents. The pattern across published decisions is consistent: the OPC reads the sensitivity factor broadly plus reads the probability factor narrowly. An organization that argues "low probability of misuse" without forensic evidence supporting the assessment will typically lose the argument. An organization that has documented the data flow, the access scope plus the threat-actor identification will get more deference.

The OPC's published guidance on what makes a strong RROSH self-assessment names three things explicitly: a forensic record of what was accessed, a documented assessment of who accessed it (or attempted to) plus a contextual analysis of how the accessed data could be combined with other information sources to enable harm. The Sherlock incident response engagement produces exactly those three things as the deliverable: forensic record (preserved with hashes plus chain of custody), access assessment (drawn from logs reconstructed across PST, Windows event logs plus browser artifacts per our standard methodology) plus contextual analysis (Sherlock-written legal-facing report).

The Sherlock RROSH Self-Assessment Checklist

Before calling Sherlock for incident response support, run this self-assessment. If you can answer the questions confidently, you may not need our help. If any answer is "we are not sure" you almost certainly do.

What personal information was in the affected system? Be specific. "Customer data" is not specific enough. Name + address + financial account number reaches RROSH faster than name alone.
How sensitive is that information in context? Health information is sensitive almost always. Login credentials are sensitive almost always. Financial information paired with identifiers is sensitive. Financial information without identifiers may or may not be.
What evidence do you have for the access scope? Forensic logs showing what records were touched are evidence. An assertion that "the attacker only got X" without supporting logs is not.
Who was the attacker plus what is their pattern? A nation-state actor with a known pattern of data exploitation produces a different RROSH calculus than a commodity ransomware operator who deletes data and demands payment.
What is your record-keeping posture? Even non-reportable breaches must be documented for 24 months. Sherlock writes those records as a deliverable on every engagement.

If you have a current incident that may trigger PIPEDA notification, time matters. The Privacy Commissioner has been clear that "as soon as feasible" does not mean "as soon as we have completed full forensic reconstruction." Initial notification with a documented assessment plus a commitment to file an updated assessment is preferable to silence. Sherlock's after-data-breach-Canada page walks through the operational sequence in more detail.

If you want a Sherlock Forensics engagement that produces RROSH-defensible evidence, call us. PIPEDA enforcement actions are growing; the OPC has been increasing investigative output year over year. The cost of a defensible forensic record is meaningfully lower than the cost of regulatory finding that you under-reported.