PIPEDA Breach Reporting Requirements: What Canadian Organizations Must Know

What PIPEDA requires when a breach occurs

Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) imposes mandatory breach reporting obligations on private-sector organizations engaged in commercial activity. The requirements flow from the Breach of Security Safeguards Regulations, which came into force on November 1, 2018.

When a breach of security safeguards occurs — meaning any unauthorized access to, use of, or disclosure of personal information — organizations must complete three tasks if the breach poses a real risk of significant harm:

1. Report the breach to the Office of the Privacy Commissioner of Canada (OPC)
2. Notify all affected individuals directly
3. Maintain an internal record of the breach for 24 months

Every breach must be recorded internally, even those that do not reach the RROSH threshold for reporting.

---

Who is subject to PIPEDA breach reporting?

PIPEDA applies to private-sector organizations that collect, use, or disclose personal information in the course of commercial activity in Canada. This includes:

• Businesses of any size operating interprovincially or internationally
• Organizations in federally regulated sectors (banking, telecommunications, transportation, broadcasting) regardless of province
• Organizations in provinces without substantially similar provincial legislation

Provincial exceptions: Alberta (PIPA) and British Columbia (PIPA) have provincial legislation deemed substantially similar to PIPEDA. Organizations that only collect, use, and disclose personal information within Alberta or BC in the course of purely intraprovincial commercial activity are governed by the provincial legislation instead of PIPEDA. However, if any commercial activity crosses provincial or international borders, PIPEDA applies.

In practice, most Canadian SMEs are subject to PIPEDA for cross-border transactions, online business, and any activity that moves personal information outside the province. If you are uncertain which legislation applies to your organization, err on the side of compliance with both PIPEDA and your applicable provincial PIPA.

---

Understanding RROSH: the threshold that triggers reporting

Not every breach triggers mandatory reporting. PIPEDA uses a threshold called Real Risk of Significant Harm (RROSH). A breach must be reported only if it poses a real risk of significant harm to one or more affected individuals.

What counts as significant harm?

The Breach of Security Safeguards Regulations define significant harm to include:

• Bodily harm
• Humiliation
• Damage to reputation or relationships
• Loss of employment, business, or professional opportunities
• Financial loss
• Identity theft
• Negative effects on credit records
• Damage to or loss of property

The harm does not need to have occurred — only that there is a real risk it could occur. "Real" means more than speculative: it must be a genuine possibility given the nature and sensitivity of the personal information involved.

The four RROSH factors

Organizations must assess four factors when determining whether RROSH is present:

1. Sensitivity of the personal information Financial account numbers, social insurance numbers, health information, and passwords are highly sensitive. Name and address alone are lower sensitivity. The more sensitive the information, the higher the probability RROSH is present.

2. Probability that the personal information has been, is being, or will be misused Was access confirmed? Was it an intentional attack or an accidental disclosure? Ransomware attacks and deliberate exfiltration carry high probability of misuse. An internal accidental send to the wrong recipient with prompt recall carries lower probability.

3. Number of individuals affected A breach affecting thousands of individuals with sensitive data almost certainly triggers RROSH. A breach affecting one individual with limited information may not. Scale is not determinative on its own — one affected individual with highly sensitive information (e.g., a health record or SIN) can still meet the RROSH threshold.

4. Whether the information has been recovered If stolen data has been definitively recovered and there is strong evidence it was not accessed or copied, this reduces the probability of harm. Unrecovered data — particularly in ransomware or confirmed exfiltration scenarios — weighs heavily toward RROSH.

---

Reporting to the OPC: what, when, and how

If your RROSH assessment determines that a real risk of significant harm exists, you must report the breach to the OPC as soon as feasible after making that determination.

Timing: what "as soon as feasible" means in practice

The OPC expects organizations to report within days of determining RROSH is present — not weeks. You do not need to complete a full forensic investigation before reporting. File on the information available at the time and provide supplemental reports as your investigation continues.

The OPC has signalled increasing scrutiny of organizations that delay reporting while conducting internal investigations. If you determine RROSH is present, do not postpone the report.

What the OPC breach report must contain

Your report to the OPC must include:

• A description of the circumstances of the breach
• The date or approximate date of the breach
• A description of the personal information involved
• The number of individuals affected (or an estimate)
• The steps your organization has taken or will take to reduce the risk of harm
• The steps your organization has taken or will take to notify affected individuals
• Contact information for a person within your organization who can answer questions

You submit the report through the OPC's online breach portal at priv.gc.ca.

---

Notifying affected individuals

When RROSH is present, you must also notify every affected individual directly, as soon as feasible after determining RROSH.

Requirements for individual notification

The notification must:

• Be given directly to each affected individual (not through a public notice, unless direct notification would cause further harm or is not reasonably possible)
• Describe the circumstances of the breach in plain language
• Identify the type of personal information involved
• Describe the steps your organization has taken to reduce the risk of harm
• Describe the steps the individual can take to protect themselves
• Include a toll-free number or other means to contact your organization for further information

When public notice is permitted

Direct notification is the requirement. Public notice is permitted only if direct notification would itself cause further harm, would be unreasonably difficult (e.g., you do not have current contact information for all affected individuals), or would be disproportionately expensive given the scale of the breach and nature of the harm. Even then, a public notice should be accompanied by direct notification wherever direct contact is feasible.

---

Record-keeping: the 24-month requirement

Every organization subject to PIPEDA must maintain a record of every breach of security safeguards — regardless of whether the breach reached the RROSH threshold for reporting. This record must be retained for a minimum of 24 months from the date the organization determined a breach occurred.

The OPC may request access to this record. Failure to maintain the record, or failure to provide it to the OPC upon request, is an offence under PIPEDA.

Your internal breach record should document:

• Date and description of the breach
• Nature of the personal information involved
• Cause of the breach (if known)
• Number of individuals affected
• RROSH determination and the reasoning behind it
• Steps taken to contain the breach and prevent recurrence
• Whether the breach was reported to the OPC and individuals notified

---

What happens if you don't comply?

Failure to report a reportable breach, failure to notify affected individuals, or failure to maintain the required record are each offences under PIPEDA. Penalties include:

• Fines of up to $100,000 per violation for organizations that knowingly fail to comply
• OPC investigation — the OPC may open a formal investigation into your organization's privacy practices broadly, not just the breach
• Published findings — the OPC regularly publishes investigation findings. A published finding naming your organization is significant reputational risk
• Federal Court referral — the OPC can apply to the Federal Court for a hearing, which can result in compliance orders and damages

Beyond regulatory consequences, organizations that delay or fail to notify affected individuals expose themselves to civil liability if individuals suffer harm as a result.

---

Dual obligations: when PIPEDA and provincial PIPA both apply

If your organization operates in Alberta or British Columbia and also engages in interprovincial or cross-border commercial activity, both PIPEDA and the applicable provincial PIPA may impose breach reporting obligations. The OPC and OIPC Alberta (or OIPC BC) expect separate reports to each regulator when a breach triggers obligations under both frameworks.

ClearBreach performs simultaneous evaluation under all applicable frameworks and generates separate regulator reports for each one triggered.

---

Using ClearBreach for your PIPEDA assessment

ClearBreach guides your organization through a structured 18–23 question assessment covering every RROSH factor under PIPEDA, Alberta PIPA, and BC PIPA simultaneously. At the end of the wizard, you receive:

• An Assessment Verdict Card — your formal RROSH determination with score and obligations triggered
• An Internal Incident Record — the 24-month compliance record, complete
• An Individual Notification Letter — ready to send to affected individuals
• An OPC Breach Report draft — pre-populated with your assessment data, ready for review and submission

The entire assessment takes under 15 minutes. All answers are processed in your browser — nothing is transmitted to ClearBreach servers.