PIPEDA Breach Reporting Requirements

What are the breach notification requirements under PIPEDA?

PIPEDA requires three things when a breach poses a real risk of significant harm: report to the Office of the Privacy Commissioner of Canada (OPC) as soon as feasible, notify all affected individuals directly, and maintain an internal breach record for 24 months. ClearBreach automates all three — generating your OPC breach report, individual notification letter, and internal incident record in a single 15-minute assessment.

The requirements flow from the Breach of Security Safeguards Regulations, which came into force on November 1, 2018. When a breach of security safeguards occurs — meaning any unauthorized access to, use of, or disclosure of personal information — organizations must complete three tasks if the breach poses a real risk of significant harm:

1. Report the breach to the Office of the Privacy Commissioner of Canada (OPC)
2. Notify all affected individuals directly
3. Maintain an internal record of the breach for 24 months

Every breach must be recorded internally, even those that do not reach the RROSH threshold for reporting.

Generate your OPC breach report, individual notification letter, and internal incident record automatically. ClearBreach runs your RROSH assessment under PIPEDA, Alberta PIPA, and BC PIPA simultaneously and produces all required documents in under 15 minutes — entirely in your browser.

On this page:

• What are the breach notification requirements under PIPEDA?
• Who is subject to PIPEDA breach reporting?
• Which provinces are covered by PIPEDA only?
• What is the RROSH threshold that triggers PIPEDA reporting?
• What must I report to the OPC and when?
• When must I notify affected individuals under PIPEDA?
• What are the PIPEDA record-keeping requirements?
• What happens if I fail to report a breach under PIPEDA?
• What do I do when PIPEDA and provincial PIPA both apply?

---

Who is subject to PIPEDA breach reporting?

PIPEDA applies to every private-sector organization engaged in commercial activity in Canada, regardless of size. Alberta and BC have substantially similar provincial PIPA legislation — but any interprovincial or cross-border commercial activity triggers PIPEDA regardless of province. Federally regulated industries are always subject to PIPEDA.

PIPEDA applies to:

• Businesses of any size operating interprovincially or internationally
• Organizations in federally regulated sectors (banking, telecommunications, transportation, broadcasting) regardless of province
• Organizations in provinces without substantially similar provincial legislation

Provincial exceptions: Alberta (PIPA) and British Columbia (PIPA) have provincial legislation deemed substantially similar to PIPEDA. Organizations that only collect, use, and disclose personal information within Alberta or BC in the course of purely intraprovincial commercial activity are governed by the provincial legislation instead of PIPEDA. However, if any commercial activity crosses provincial or international borders, PIPEDA applies.

In practice, most Canadian SMEs are subject to PIPEDA for cross-border transactions, online business, and any activity that moves personal information outside the province. If you are uncertain which legislation applies to your organization, err on the side of compliance with both PIPEDA and your applicable provincial PIPA.

---

Which provinces are covered by PIPEDA only?

Saskatchewan, Manitoba, New Brunswick, Nova Scotia, Prince Edward Island, and Newfoundland and Labrador have no substantially similar provincial privacy legislation. Organizations in these provinces are subject to PIPEDA only — the same single-regulator framework as Ontario. Report to the OPC at priv.gc.ca. No concurrent provincial regulator filing is required.

Unlike Alberta and British Columbia — which have enacted provincial PIPA legislation deemed substantially similar to PIPEDA — these provinces have not passed equivalent private-sector privacy laws. The practical result for organizations based in Saskatchewan, Manitoba, New Brunswick, Nova Scotia, Prince Edward Island, or Newfoundland and Labrador:

• One regulator: the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca
• One report: the OPC PIPEDA breach report, filed as soon as feasible when RROSH is present
• No provincial OIPC filing: unlike organizations in Alberta or BC, there is no concurrent provincial filing requirement
• Same obligations as Ontario organizations: the single-regulator advantage applies equally

A Saskatchewan professional services firm, a Manitoba retailer, a New Brunswick accounting practice, and a Nova Scotia technology company all have identical breach reporting obligations under PIPEDA. The framework described in this guide is their complete applicable framework — there is no additional provincial layer.

---

What is the RROSH threshold that triggers PIPEDA reporting?

Not every breach triggers reporting. PIPEDA uses a threshold called Real Risk of Significant Harm (RROSH). A breach must be reported only when it poses a real, genuine possibility — not speculative — that significant harm could result from the nature and circumstances of the exposure.

What counts as significant harm under PIPEDA?

The Breach of Security Safeguards Regulations define significant harm to include:

• Bodily harm
• Humiliation
• Damage to reputation or relationships
• Loss of employment, business, or professional opportunities
• Financial loss
• Identity theft
• Negative effects on credit records
• Damage to or loss of property

The harm does not need to have occurred — only that there is a real risk it could occur. "Real" means more than speculative: it must be a genuine possibility given the nature and sensitivity of the personal information involved.

What are the four RROSH factors under PIPEDA?

Organizations must assess four factors when determining whether RROSH is present:

1. Sensitivity of the personal information Financial account numbers, social insurance numbers, health information, and passwords are highly sensitive. Name and address alone are lower sensitivity. The more sensitive the information, the higher the probability RROSH is present.

2. Probability that the personal information has been, is being, or will be misused Was access confirmed? Was it an intentional attack or an accidental disclosure? Ransomware attacks and deliberate exfiltration carry high probability of misuse. An internal accidental send to the wrong recipient with prompt recall carries lower probability.

3. Number of individuals affected A breach affecting thousands of individuals with sensitive data almost certainly triggers RROSH. A breach affecting one individual with limited information may not. Scale is not determinative on its own — one affected individual with highly sensitive information (e.g., a health record or SIN) can still meet the RROSH threshold.

4. Whether the information has been recovered If stolen data has been definitively recovered and there is strong evidence it was not accessed or copied, this reduces the probability of harm. Unrecovered data — particularly in ransomware or confirmed exfiltration scenarios — weighs heavily toward RROSH.

For a full breakdown of all four factors with worked examples, see What Is RROSH?

---

What must I report to the OPC and when?

Report to the OPC as soon as feasible after determining RROSH is present — days from that determination, not weeks. File on information available at the time and supplement as your investigation continues. Do not delay reporting while waiting for a forensic investigation to complete.

What the OPC breach report must contain

Your report to the OPC must include:

• A description of the circumstances of the breach
• The date or approximate date of the breach
• A description of the personal information involved
• The number of individuals affected (or an estimate)
• The steps your organization has taken or will take to reduce the risk of harm
• The steps your organization has taken or will take to notify affected individuals
• Contact information for a person within your organization who can answer questions

You submit the report through the OPC's online breach portal at priv.gc.ca.

---

When must I notify affected individuals under PIPEDA?

When RROSH is present, notify every affected individual directly as soon as feasible. Direct notification is required — a public notice is only permitted when direct contact is not reasonably possible, would cause further harm, or would be disproportionately difficult given the scale of the breach.

Who needs to be notified of a privacy breach?

Under PIPEDA, every individual whose personal information was involved in a breach that poses RROSH must be notified directly. Public notice is only permitted when direct notification would cause further harm, is not reasonably possible, or is disproportionately difficult given the scale of the breach.

Requirements for individual notification under PIPEDA

The notification must:

• Be given directly to each affected individual (not through a public notice, unless direct notification would cause further harm or is not reasonably possible)
• Describe the circumstances of the breach in plain language
• Identify the type of personal information involved
• Describe the steps your organization has taken to reduce the risk of harm
• Describe the steps the individual can take to protect themselves
• Include a toll-free number or other means to contact your organization for further information

When is public notice permitted?

Direct notification is the requirement. Public notice is permitted only if direct notification would itself cause further harm, would be unreasonably difficult (e.g., you do not have current contact information for all affected individuals), or would be disproportionately expensive given the scale of the breach and nature of the harm. Even then, a public notice should be accompanied by direct notification wherever direct contact is feasible.

---

What are the PIPEDA record-keeping requirements?

PIPEDA requires organizations to maintain a record of every breach of security safeguards — regardless of whether it reached the RROSH threshold — for a minimum of 24 months. The OPC may request access to this record. Failure to maintain it is an offence under PIPEDA.

Your internal breach record should document:

• Date and description of the breach
• Nature of the personal information involved
• Cause of the breach (if known)
• Number of individuals affected
• RROSH determination and the reasoning behind it
• Steps taken to contain the breach and prevent recurrence
• Whether the breach was reported to the OPC and individuals notified

---

What happens if I fail to report a breach under PIPEDA?

Failure to report is an offence under PIPEDA. Organizations face fines of up to $100,000 per violation for knowingly failing to report to the OPC or notify individuals. The OPC may investigate, publish findings publicly, or refer the matter to Federal Court.

Beyond regulatory consequences, organizations that delay or fail to notify affected individuals expose themselves to civil liability if individuals suffer harm as a result.

Specific enforcement mechanisms include:

• Fines of up to $100,000 per violation for organizations that knowingly fail to comply
• OPC investigation — the OPC may open a formal investigation into your organization's privacy practices broadly, not just the breach
• Published findings — the OPC regularly publishes investigation findings. A published finding naming your organization is significant reputational risk
• Federal Court referral — the OPC can apply to the Federal Court for a hearing, which can result in compliance orders and damages

---

What do I do when PIPEDA and provincial PIPA both apply?

When both frameworks apply, notify individuals once using a notice that satisfies both. File a mandatory OPC report under PIPEDA. Also file separately with the OIPC Alberta (mandatory) or OIPC BC (voluntary best practice) as applicable. ClearBreach generates separate regulator submissions automatically.

	PIPEDA	Alberta PIPA	BC PIPA
Governing body	OPC Canada (priv.gc.ca)	OIPC Alberta (oipc.ab.ca)	OIPC BC (oipc.bc.ca)
Regulator reporting	Mandatory when RROSH present	Mandatory when RROSH present	Voluntary
Individual notification	Mandatory when RROSH present	Mandatory when RROSH present	Mandatory when RROSH present
Timing — regulator	As soon as feasible	Without unreasonable delay	Voluntary — no fixed deadline
Timing — individuals	As soon as feasible	Without unreasonable delay	Without unreasonable delay
Enforcement	OPC investigation, Federal Court referral	OIPC investigation, compliance orders	OIPC investigation, compliance orders
Record-keeping	24 months minimum	Required	Required

For jurisdiction-specific obligations, see Alberta PIPA Breach Notification Requirements and BC PIPA Privacy Breach Reporting Requirements.

---

Scenario-specific PIPEDA guidance

The RROSH framework applies regardless of how the breach occurred. For detailed guidance on specific incident types:

• Ransomware Attack: What Canadian SMEs Must Do Under PIPEDA and Alberta PIPA — confirmed access, malicious intent, dwell time, and dual PIPEDA and AB PIPA reporting obligations
• Phishing and Business Email Compromise: PIPEDA, Alberta PIPA, and BC PIPA — compromised email accounts, unresolvable access probability, audit log review, and reporting obligations when inbox data spans multiple provinces
• Lost or Stolen Device: What Canadian SMEs Must Do Under PIPEDA, Alberta PIPA, and BC PIPA — encryption uncertainty, high watermark scoring, and multi-jurisdiction reporting when the device holds data about individuals in multiple provinces

For province-specific guidance:

• Alberta PIPA Breach Notification Requirements — mandatory OIPC Alberta reporting, the April 2024 simultaneous notification process, and dual PIPEDA and Alberta PIPA obligations
• BC PIPA Privacy Breach Reporting Requirements — voluntary OIPC BC reporting, when it applies alongside PIPEDA, and what the OIPC BC expects to see in a voluntary report

---

Using ClearBreach for your PIPEDA assessment

Run your PIPEDA breach assessment and generate all required documents automatically. ClearBreach guides your organization through a structured 18–23 question assessment covering every RROSH factor under PIPEDA, Alberta PIPA, and BC PIPA simultaneously. At the end of the assessment, you receive:

• An Assessment Verdict Card — your formal RROSH determination with score and obligations triggered
• An Internal Incident Record — the 24-month compliance record, complete
• An Individual Notification Letter — ready to send to affected individuals
• An OPC Breach Report draft — pre-populated with your assessment data, ready for review and submission

The entire assessment takes under 15 minutes. All answers are processed in your browser — nothing is transmitted to ClearBreach servers.