Physical Records Breach — Quick Reference Guide

First 30 minutes

• Secure the affected physical space: lock filing cabinets, restrict access to the records room, or recover any documents still on-site
• Do not discard, reorganize, or destroy anything in the affected area — the current state is evidence
• Identify what records were in the affected container or space: pull your records inventory or reconstruct from file labels, index sheets, or intake logs
• If theft is involved, call police and note the report number — your regulatory obligations run in parallel, not after the police investigation
• Preserve any building security footage, keycard logs, or access records immediately — many systems overwrite after 30–72 hours
• Designate an incident lead — all communications route through them

---

Within 24 hours

• Complete your records inventory: list every category of personal information in the affected records (SINs, health data, financial records, government IDs, contact information), whose records they were (clients, employees, patients), and how many individuals are affected
• Determine the exposure window: when was the breach created (filing cabinet left unlocked, records placed in trash, shipment picked up) and when was it discovered?
• If the breach involved a courier or shipping company: file a missing shipment claim and document the claim number; request all tracking and handling records
• If the breach involved a document destruction company: contact them in writing immediately and request a full account of what happened to the records
• Identify which provinces' residents are affected — determines whether AB PIPA and BC PIPA apply in addition to PIPEDA
• Begin your ClearBreach assessment — use worst-case scope for what was accessible if the actual scope cannot be confirmed

---

Within 72 hours

• Complete your RROSH assessment in ClearBreach and review your verdict
• If PIPEDA RROSH threshold is met: file OPC Breach Report as soon as feasible
• If Alberta PIPA applies and RROSH is met: notify OIPC Alberta (breachnotice@oipc.ab.ca) and affected individuals simultaneously
• If BC PIPA applies and RROSH is met: notify the OIPC BC through their official breach notification process and notify affected BC residents directly
• Send individual notifications: explain in plain language what physical records were involved, what information they contained, what period they were accessible, and what individuals can do — for SIN or financial data exposure, advise individuals to contact Equifax and TransUnion Canada to place a fraud alert
• If a police report was filed, include the report number in your individual notification letters so affected individuals can reference it

---

Ongoing — until resolution

• Update your Internal Incident Record as the police investigation or destruction company inquiry develops — if material new facts emerge after you have notified, send follow-up notifications to regulators and affected individuals
• Retain all records related to the incident — police reports, correspondence with destruction companies or couriers, internal assessment records, individual notifications — for 24 months minimum from the date of discovery
• Review physical safeguards: upgrade to cross-cut or micro-cut shredding for sensitive records, implement a locked destruction bin program, audit filing cabinet and records room access controls
• If the breach resulted from a destruction company failure, review whether you have a contractual right to audit or require confirmation; update your contract or switch to a provider that issues verifiable certificates

---

Alberta PIPA — specific steps

• Notify the OIPC Alberta and affected individuals simultaneously — simultaneous filing triggers the streamlined review process
• Complete the official OIPC Alberta Notification Form — do not substitute an informal letter
• Attach the AB PIPA Individual Notice (s.19.1) to your OIPC Alberta submission (Section D)
• Submit by email to breachnotice@oipc.ab.ca

---

BC PIPA — specific steps

• BC PIPA applies if any affected individuals are BC residents — applies regardless of where your organization is based
• OIPC BC voluntary reporting is available even if RROSH is not present — for cases where destruction was improper but access cannot be confirmed, voluntary reporting demonstrates good faith
• If RROSH is present: notify the OIPC BC through their official breach notification process at oipc.bc.ca and notify affected BC residents directly
• Do not substitute a general public notice for direct individual notification

---

Shredding reference

Shredder type	Adequate for sensitive records?
Strip-cut (long ribbons)	No — documents can be reassembled; treat as inadequate destruction
Cross-cut (confetti-sized pieces)	Yes — adequate for most personal information including SINs and financial records
Micro-cut (very fine particles)	Yes — highest level; appropriate for highly sensitive or regulated records
Third-party certified destruction	Yes — if a verifiable certificate of destruction is issued

---

MSPs — if involved in this incident

• If the physical records include printed credentials, access cards, or network diagrams, assess the digital exposure as a concurrent breach using the appropriate digital breach playbook
• If you operate a document management or destruction service for clients and these records were in your custody, you are the vendor — notify affected clients immediately in writing with full details of what happened
• The client organization remains the accountable party under PIPEDA and PIPA for their individuals' personal information; your role is to provide the facts that enable their assessment