Unauthorized Employee Access — Quick Reference Guide

First 30 minutes

• Revoke the employee's access to all systems holding personal information immediately — before informing the employee that a review is under way
• If a former employee: revoke every remaining credential at once — email, VPN, cloud platforms, third-party SaaS tools, shared passwords, physical access cards
• Preserve audit logs immediately — confirm log retention settings in Google Workspace, Microsoft 365, and all relevant platforms before any system changes
• Designate a breach assessment lead separate from the HR process lead
• Record the exact date and time the incident was discovered — this starts your response clock

---

Within 24 hours

• Export all available audit logs for the employee's account activity — note what systems, what records, and what time periods are covered
• Determine the scope: what categories of personal information could the employee have accessed within their system permissions?
• Identify the individuals affected — customers, employees, or both — and which provinces they are in (determines whether AB PIPA and BC PIPA apply alongside PIPEDA)
• Begin your RROSH assessment — do not wait for the HR investigation to produce findings
• Document the employee's stated account if they have been interviewed — include what they said and when

---

Within 72 hours

• Complete your RROSH assessment and determine your verdict
• If no audit logs exist: assess on the worst-case scope of what the employee could have accessed given their system permissions
• If PIPEDA RROSH threshold is met: file OPC Breach Report as soon as feasible — the HR investigation does not delay this
• If Alberta PIPA applies and RROSH is met: notify OIPC Alberta (breachnotice@oipc.ab.ca) and affected individuals simultaneously
• If BC PIPA applies and RROSH is met: notify the OIPC BC through their breach notification process at oipc.bc.ca and notify affected BC residents directly
• Send individual notifications directly to each person whose records were accessed — this is notification to those individuals, not to the employee who accessed them
• If RROSH is not met: document the assessment and reasoning in your Internal Incident Record

---

Ongoing — until resolution

• Close the access control gap that enabled the breach — offboarding failure, permission over-provisioning, or both
• Update your Internal Incident Record as new information emerges — if material new facts arise after notification, send a follow-up to regulators and affected individuals
• Review and update your offboarding checklist and credential revocation process for all departing employees
• Retain all records — audit log exports, assessment records, notifications sent — for 24 months minimum from date of discovery
• If the employee or former employee is subject to legal proceedings, coordinate evidence preservation with legal counsel — do not delete records as part of routine clean-up

---

Alberta PIPA — specific steps

• Notify the OIPC Alberta and affected individuals simultaneously — this triggers the streamlined review process and a private closing letter rather than a public investigation
• Complete the official OIPC Alberta Notification Form — do not substitute an informal letter
• Attach the AB PIPA Individual Notice (s.19.1) to your OIPC Alberta submission (Section D)
• Submit by email to breachnotice@oipc.ab.ca

---

BC PIPA — specific steps

• BC PIPA applies if any affected individuals are BC residents — applies regardless of where your organization is based
• OIPC BC voluntary reporting is available even if RROSH is not present — for borderline cases involving BC residents, voluntary reporting demonstrates good faith
• If RROSH is present: notify the OIPC BC through their official breach notification process at oipc.bc.ca and notify affected BC residents directly
• Do not substitute a general public notice for direct individual notification

---

MSPs — if managing this for a client

• Confirm in writing with the client who leads regulatory notification before acting on their behalf — the client is the accountable party under PIPEDA and PIPA
• If the unauthorized access was by one of your own employees into a client's systems: your obligation runs in two directions — your own regulatory and contractual notification, and notifying the client so they can manage their own obligations
• Run a ClearBreach assessment under your MSP account for the affected client organization
• Document all client communications with timestamps and keep the client's incident record separate from your own