PIPEDA Breach Notification Guide

PIPEDA's mandatory breach notification is triggered by the Real Risk of Significant Harm test. Not every breach requires notification. You must assess whether the breach creates a real risk -- not a theoretical one -- of significant harm to any affected individual. This assessment must be documented regardless of the outcome.

Significant harm includes:

Financial harm

Identity theft, fraud, unauthorized transactions or credit damage resulting from exposed financial data.

Reputational harm

Humiliation, damage to relationships or damage to professional standing from exposed personal information.

Physical harm

Bodily harm, intimidation or harassment made possible by exposed addresses or location data.

Employment harm

Loss of employment or business opportunities resulting from exposed records.

Factors in the assessment: The sensitivity of the personal information involved. The probability that the information will be misused. Whether the breach was caused by theft or accidental exposure. Whether the data was encrypted or otherwise protected. The number of individuals affected.

1. Office of the Privacy Commissioner (OPC): Submit a breach report using the OPC's prescribed form. The report must include a description of the breach, the type of personal information compromised, an estimate of affected individuals, steps taken to reduce harm, steps taken to notify individuals and your organization's contact information. Reports can be submitted through the OPC's online portal.

2. Affected Individuals: Notify each affected individual directly. Notification must include a description of the breach, the personal information involved, steps your organization has taken, steps the individual can take to protect themselves (such as changing passwords or monitoring credit) and a contact point for further questions. Direct notification by email, letter or phone is required. Website posting alone is not sufficient except in limited circumstances.

3. Third-Party Organizations: Notify any organization or government institution that you believe can reduce the risk of harm. This often includes law enforcement if criminal activity is suspected, financial institutions if payment card data was exposed and credit monitoring agencies if Social Insurance Numbers or financial identifiers were compromised.

PIPEDA requires notification "as soon as feasible" after you determine that the RROSH threshold is met. There is no fixed deadline in the Act. However, the OPC has indicated that weeks, not months, is the expected timeframe. Unreasonable delay can lead to additional findings against your organization. Your forensic investigation and legal review should run in parallel with notification preparation, not sequentially.

Knowingly failing to report a breach to the OPC is an offence under PIPEDA Section 28. Knowingly failing to notify affected individuals is also an offence. Each violation carries fines up to $100,000 CAD. Failing to maintain breach records for 24 months is a separate offence. The OPC can refer non-compliance to the Attorney General of Canada for prosecution. Beyond fines, a finding of non-compliance damages public trust and can trigger class action litigation.

Provincial privacy legislation may impose additional requirements. Organizations operating in Quebec must also comply with Law 25, which has its own breach notification rules and penalties up to $25 million CAD or 4% of global turnover. Alberta's PIPA has similar mandatory notification provisions. If your organization operates across provinces, you may need to satisfy multiple notification regimes simultaneously.

Forensic Investigation: We determine what happened, when it happened, what data was accessed and how the attacker gained entry. Our forensic findings provide the factual foundation for your RROSH assessment. We preserve evidence to court-admissible standards in case the matter proceeds to litigation or prosecution.

Scope Determination: We identify exactly which records were compromised, which systems were affected and the timeframe of unauthorized access. Accurate scoping prevents both under-notification (a compliance risk) and over-notification (an unnecessary business disruption).

Reporting Assistance: We help draft the technical sections of OPC breach reports and individual notification letters. Our reports document the breach timeline, affected systems, compromised data categories and remediation steps in the format the OPC expects. We work alongside your legal counsel throughout the process.

Record-Keeping: We provide detailed forensic reports that satisfy PIPEDA's 24-month record retention requirement. Every breach, whether it meets the RROSH threshold or not, must be documented. Our reports include the investigation methodology, findings, RROSH assessment rationale and remediation actions taken.