Accidental Email Disclosure — Quick Reference Guide

First 30 minutes

• Contact the recipient directly by email — request deletion of the email and any attachments
• Attempt an email recall if your mail system supports it — document the attempt
• Identify every recipient — check To, CC, and BCC fields; check if the email was forwarded
• Preserve the original sent email, any recall confirmation, and all recipient communications
• Designate one person as incident lead

---

Within 24 hours

• Determine whether the recipient is known (named individual) or unknown (domain typo, unrecognized address)
• Identify exactly what personal information was disclosed — body text and all attachments
• Assess sensitivity of the disclosed information:
  • Contact details only (name, email, phone) — lower RROSH
  • Health information, financial data, SIN, credentials, or passwords — higher RROSH
  • Combination of fields that together enable identity theft — assess carefully
• Assess volume — single recipient or multiple external recipients?
• Check whether recipient has confirmed deletion in writing — document the response
• Identify which provinces affected individuals are in — determines whether AB PIPA and/or BC PIPA apply
• Run your ClearBreach RROSH assessment — do not pre-determine the outcome

---

Within 72 hours

• Complete your RROSH assessment and review your verdict
• If RROSH is NOT present: finalize and retain your Internal Incident Record — no regulator filing required
• If PIPEDA RROSH is met: file OPC Breach Report as soon as feasible
• If Alberta PIPA applies and RROSH is met: notify OIPC Alberta (breachnotice@oipc.ab.ca) and affected individuals simultaneously
• If BC PIPA applies: consider voluntary OIPC BC report even if RROSH is borderline — demonstrates good faith
• Send individual notification letters directly to affected individuals — do not substitute a public or website notice
• Complete your Internal Incident Record with all actions, timestamps, and the RROSH determination

---

Ongoing — until resolution

• If recipient has not responded to deletion request: follow up in writing; document non-response as part of your RROSH record
• Monitor for signs the disclosed information has been misused
• Update your Internal Incident Record as new information becomes available
• Retain all records for 24 months minimum from the date of the incident
• Identify the root cause — auto-complete error, distribution list issue, BCC oversight — and document any process changes made

---

Alberta PIPA — specific steps

• Notify OIPC Alberta and affected individuals simultaneously — simultaneous filing triggers the streamlined review process and a private closing letter
• Complete the official OIPC Alberta Notification Form — do not substitute an informal letter
• Attach the AB PIPA Individual Notice (s.19.1) to your OIPC Alberta submission (Section D)
• Submit by email to breachnotice@oipc.ab.ca

---

BC PIPA — specific steps

• BC PIPA applies if any affected individuals are BC residents — applies regardless of where your organization is based
• Voluntary reporting to OIPC BC is recommended even when RROSH is borderline — file through oipc.bc.ca
• Notify affected BC residents directly — do not substitute a general public notice for direct notification

---

MSPs — if managing this for a client

• Confirm with the client in writing who leads the RROSH assessment and regulatory notification
• If the disclosure originated from a tool or system you manage, document your involvement immediately
• Run a ClearBreach assessment under your MSP account for the affected client organization
• Document all client communications with timestamps