PIPEDAAll sectors

Ontario Data Breach Reporting Requirements

PIPEDA governs Ontario private-sector data breach reporting. Learn the RROSH threshold, OPC report obligations, individual notification, and how to comply.

Ontario data breaches and federal PIPEDA

Ontario is Canada's largest provincial economy, home to the country's largest concentration of financial services firms, technology companies, professional services practices, and SMEs across every sector. Every one of these organizations that collects, uses, or discloses personal information in the course of commercial activity is subject to the federal Personal Information Protection and Electronic Documents Act (PIPEDA) when a breach occurs.

Unlike Alberta and British Columbia, Ontario has not enacted private-sector privacy legislation deemed substantially similar to PIPEDA. There is no "Ontario PIPA." For breach reporting purposes, Ontario private-sector organizations have a single applicable framework: federal PIPEDA, enforced by the Office of the Privacy Commissioner of Canada (OPC).

This has one practical advantage over operating in Alberta or BC: Ontario businesses report to one regulator, not two. When RROSH is present, the obligation runs to the OPC only — there is no concurrent provincial filing requirement.

Which Ontario organizations are subject to PIPEDA?

PIPEDA applies to every private-sector organization in Ontario that:

Collects, uses, or discloses personal information about individuals in the course of commercial activity
Does so interprovincially, internationally, or in a federally regulated sector

There is no size threshold. A sole proprietor holding client contact information, a two-person accounting practice, a mid-size technology firm, and a large financial services company are all subject to PIPEDA's breach reporting obligations in the same way.

Federally regulated organizations in Ontario — banks, federally chartered trust companies, telecommunications carriers, broadcasters, and interprovincial transportation companies — are subject to PIPEDA regardless of any provincial considerations. Many of Canada's largest federally regulated organizations are headquartered in Ontario; PIPEDA is their applicable framework by default.

Organizations engaged in purely intraprovincial commercial activity are still subject to PIPEDA in Ontario because Ontario has no substantially similar provincial legislation. Unlike a Calgary-only firm that operates solely within Alberta under Alberta PIPA, an Ontario-only firm has no provincial alternative — PIPEDA applies.

Important note: PHIPA is a separate regime

Ontario's Personal Health Information Protection Act (PHIPA) governs custodians of personal health information — hospitals, physicians, pharmacists, and other regulated health professionals acting in their professional capacity. PHIPA is administered by the Information and Privacy Commissioner of Ontario (IPC Ontario).

PHIPA is outside the scope of this guide and outside the scope of ClearBreach. If your organization's primary data involves personal health information and you are a PHIPA custodian, you have obligations under PHIPA that are distinct from PIPEDA. Seek guidance specifically on PHIPA from qualified privacy counsel.

Organizations that incidentally hold some health-related data in a non-custodial capacity — for example, an employer holding employee benefits information — may still be subject to PIPEDA for that information depending on the circumstances. If you are uncertain which regime applies, consult a privacy lawyer.

The RROSH threshold: when a breach must be reported

PIPEDA does not require reporting every breach — only those that pose a real risk of significant harm (RROSH) to affected individuals. The RROSH determination is the central legal question in any Ontario breach response.

For a full explanation of the RROSH framework, see What Is RROSH? Real Risk of Significant Harm Under PIPEDA Explained.

What counts as significant harm?

Significant harm under PIPEDA includes:

Bodily harm
Humiliation
Damage to reputation or relationships
Loss of employment, business, or professional opportunities
Financial loss
Identity theft
Negative effects on credit records
Damage to or loss of property

The harm does not need to have occurred — only that there is a real risk it could occur given the circumstances of the breach.

The four RROSH factors for Ontario organizations

1. Sensitivity of the personal information Ontario businesses across professional services, financial services, and technology frequently hold highly sensitive information: social insurance numbers for payroll processing, financial account data for billing and payment, health-related information for benefits administration, and login credentials for software platforms. Each of these carries elevated sensitivity. The more sensitive the information involved in a breach, the higher the RROSH probability.

2. Probability of misuse Was the breach the result of a targeted attack, or an accidental internal disclosure? Ransomware attacks — prevalent across Ontario's financial and professional services sectors — represent confirmed adversarial access with clear malicious intent: the highest probability scenario. An accidental misdirected email to a single internal colleague carries significantly lower probability. The nature and source of the breach are the primary determinants.

3. Number of individuals affected A breach affecting hundreds of clients or employees with sensitive financial data almost certainly meets RROSH. A breach affecting a single individual with limited contact information may not. Scale is not the only factor — one individual's SIN or health record exposed to a threat actor can still meet the threshold — but it is a significant weighted input.

4. Whether the information has been recovered Lost or stolen devices are a common breach source for Ontario organizations with mobile workforces. If a device was recovered and forensic evidence confirms the data was never accessed, this meaningfully reduces RROSH probability. If the device was stolen and not recovered, treat access as having occurred unless evidence rules it out.

Reporting to the OPC: process and requirements

When your RROSH assessment determines that a real risk of significant harm exists, you must report the breach to the OPC as soon as feasible after making that determination.

What "as soon as feasible" means

The OPC expects reporting within days of your RROSH determination — not weeks. You do not need to complete a full forensic investigation before reporting. File on the information available and provide supplemental reports as your investigation continues. The OPC has signalled increasing scrutiny of organizations that delay reporting while conducting internal reviews.

What the OPC breach report must contain

Your report must include:

A description of the circumstances of the breach
The date or approximate date of the breach
A description of the personal information involved
The number of individuals affected or an estimate
Steps taken or planned to reduce the risk of harm
Steps taken or planned to notify affected individuals
Contact information for a person in your organization who can answer questions

Submit through the OPC's online breach portal at priv.gc.ca.

Ontario-specific note: one regulator only

Unlike organizations operating in Alberta or BC, Ontario businesses reporting under PIPEDA file with the OPC only. There is no concurrent provincial filing requirement. This is a meaningful simplification — the OIPC Alberta and OIPC BC require separate submissions on separate forms. Ontario organizations have one report, one portal, one regulator.

Notifying affected individuals

When RROSH is present, you must also notify every affected individual directly and as soon as feasible after your RROSH determination.

What the notification must include

The notification to individuals must:

Be given directly to each affected individual — not through a public website notice unless direct notification is not reasonably possible
Describe the breach in plain language
Identify the type of personal information involved
Describe the steps your organization has taken to reduce harm
Describe the steps the individual can take to protect themselves
Include contact information so the individual can ask questions

Timing relative to the OPC report

The OPC expects individual notification to be sent simultaneously with or as soon as practicable after the OPC report. Do not delay notifying individuals while awaiting regulatory direction — the OPC has stated this expectation clearly.

Record-keeping: every breach, not just reportable ones

PIPEDA requires organizations to maintain a record of every breach of security safeguards — including those that did not reach the RROSH threshold for reporting. This record must be retained for a minimum of 24 months.

The OPC may request access to your breach records at any time. Failure to maintain the record, or to provide it upon OPC request, is an offence.

Your internal breach record should document:

Date and description of the breach
Nature of the personal information involved and estimated number of individuals
RROSH determination and the reasoning behind it
Containment and remediation steps taken
Whether the breach was reported to the OPC and when
Whether affected individuals were notified and when

Common breach scenarios for Ontario organizations

Ontario's economy concentrates several sectors that face elevated breach frequency and severity under PIPEDA:

Professional services — accounting firms, law firms, and consulting practices hold SINs, financial statements, tax records, and commercially sensitive information. A ransomware attack on a professional services firm almost always triggers RROSH given the sensitivity of the data involved.

Technology companies — software firms and SaaS providers hold customer account data, API credentials, and billing information. Unauthorized access to a customer database in the Waterloo or Toronto tech corridor is a standard PIPEDA breach scenario.

Financial services — mortgage brokers, credit unions, insurance brokers, and investment dealers outside the federally regulated tier hold highly sensitive financial and personal data. A breach involving account numbers, SINs, or investment records carries near-certain RROSH.

Retail and e-commerce — organizations holding payment card data, purchase history, and customer profiles. Card data breaches have a direct financial harm pathway to affected individuals.

Mobile workforces — any organization with employees or contractors working on portable devices holds breach risk at the device level. Lost or stolen devices are among the most common PIPEDA breach scenarios, and unencrypted device losses almost always reach RROSH.

Scenario-specific guidance

For detailed guidance on how PIPEDA obligations apply to specific incident types common in Ontario:

Ransomware Attack: What Canadian SMEs Must Do Under PIPEDA and Alberta PIPA — confirmed access, malicious intent, dwell time analysis, and OPC reporting obligations. Focus on the PIPEDA sections — the Alberta PIPA sections apply to organizations with Alberta operations.
Lost or Stolen Device: What Canadian SMEs Must Do Under PIPEDA, Alberta PIPA, and BC PIPA — encryption uncertainty, high watermark scoring, and remote wipe procedures. Focus on the PIPEDA and immediate containment sections.

For the complete PIPEDA framework: PIPEDA Breach Reporting Requirements: What Canadian Organizations Must Know

Using ClearBreach for Ontario breach assessments

ClearBreach guides Ontario organizations through the PIPEDA RROSH assessment in a structured 18–23 question wizard. For organizations operating exclusively in Ontario with no Alberta or BC operations, the assessment focuses on PIPEDA only — producing:

An Assessment Verdict Card — your formal RROSH determination with score, verdict, and OPC obligations triggered
An Internal Incident Record — satisfying PIPEDA's 24-month record-keeping requirement
An Individual Notification Letter — pre-drafted to meet PIPEDA's prescribed notification content requirements
An OPC PIPEDA Breach Report draft — pre-populated with your assessment data, ready for OPC portal submission

All answers are processed in your browser. Nothing is transmitted to ClearBreach servers. The entire assessment takes under 15 minutes.

Frequently asked questions

Do Ontario businesses have to report data breaches?

Yes, if the breach poses a real risk of significant harm (RROSH) to affected individuals. Ontario private-sector organizations are governed by the federal Personal Information Protection and Electronic Documents Act (PIPEDA). When RROSH is present, they must report to the Office of the Privacy Commissioner of Canada and notify affected individuals directly. There is no provincial private-sector breach reporting law in Ontario.

Does Ontario have its own data breach reporting law?

No — not for private-sector organizations generally. Ontario has not enacted private-sector privacy legislation substantially similar to PIPEDA. Ontario businesses are governed by the federal PIPEDA for breach reporting obligations. Ontario's Personal Health Information Protection Act (PHIPA) applies specifically to custodians of personal health information and is a separate regime outside the scope of this guide.

Do I report a data breach to the Ontario government?

No. Ontario does not have a provincial breach reporting regulator for private-sector organizations. Under PIPEDA, you report to the Office of the Privacy Commissioner of Canada (OPC) — a federal body — at priv.gc.ca. There is no Ontario Ministry or provincial office that receives private-sector breach reports under PIPEDA.

Does PIPEDA apply to Ontario small businesses?

Yes. PIPEDA applies to all private-sector organizations that collect, use, or disclose personal information in the course of commercial activity, regardless of size. There is no small-business exemption. An Ontario sole proprietor or two-person firm that holds client personal information is subject to PIPEDA's breach reporting obligations in the same way as a large corporation.

What is the difference between Ontario's privacy obligations and Alberta's or BC's?

Ontario businesses report to one regulator — the OPC — under PIPEDA only. Alberta and BC organizations with intraprovincial activity are also subject to their provincial PIPA legislation and must file separate reports with the OIPC Alberta or OIPC BC in addition to the OPC. For Ontario businesses, PIPEDA is the sole applicable private-sector breach reporting framework.

What happens if an Ontario business doesn't report a data breach?

Failure to report a reportable PIPEDA breach is an offence. Organizations face fines of up to $100,000 per violation for knowingly failing to report to the OPC or notify affected individuals. The OPC may open a formal investigation, publish findings publicly, and refer the matter to the Federal Court. Reputational damage is significant — OPC investigation reports name organizations and are publicly available.

This guide is not legal advice. It provides practical guidance on Canadian privacy breach obligations. Consult a qualified privacy lawyer before submitting reports to regulators.

Run your formal assessment now

ClearBreach generates your verdict and all required documents automatically — in under 15 minutes.

Get early access

See a sample verdict →