What ClearBreach Generates
By Yong Du
ClearBreach generates six required breach documents from one assessment — RROSH verdict, OPC breach report, provincial submissions, and notification letter.
Evaluate ClearBreach before your next breach
Six compliance documents generated automatically from a single 15-minute assessment — entirely in your browser.
What does ClearBreach generate after a breach assessment?
ClearBreach generates six compliance documents from a single 15-minute browser-based assessment: an RROSH Verdict Card, an OPC Breach Report (PIPEDA), an OIPC Alberta Breach Report (Alberta PIPA), an OIPC BC Voluntary Breach Report (BC PIPA), an Individual Notification Letter, and an Internal Incident Record. All six documents are pre-populated from your assessment answers. No blank templates to fill in manually. No breach details transmitted to ClearBreach servers.
This page describes what each document contains, the legal fields required by Canadian law, and how ClearBreach generates it. If you are evaluating ClearBreach before a breach occurs, this is the right starting point.
On this page:
- RROSH Verdict Card
- OPC Breach Report — PIPEDA
- OIPC Alberta Breach Report — Alberta PIPA
- OIPC BC Voluntary Breach Report — BC PIPA
- Individual Notification Letter
- Internal Incident Record
- Which documents apply to your organization?
- Province-by-province document coverage
RROSH Verdict Card
The RROSH Verdict Card is the output of ClearBreach's rules-engine assessment. It shows a binary finding — BELOW_RROSH or RROSH — under each applicable framework (PIPEDA, Alberta PIPA, BC PIPA), and lists the specific obligations triggered under each framework where RROSH is present.
The Verdict Card is the first document ClearBreach generates and the one that determines which of the remaining five documents you need. If RROSH is below the threshold, only the Internal Incident Record is required. If RROSH is present under any framework, the remaining documents are generated for that framework.
What the RROSH Verdict Card contains
- RROSH finding per framework — BELOW_RROSH or RROSH under PIPEDA, Alberta PIPA, and BC PIPA separately
- Assessment factor summary — how the four RROSH factors (sensitivity, misuse probability, scale, recovery status) drove the finding
- Obligations triggered — specific reporting and notification obligations activated under each applicable framework
- Framework applicability — which frameworks apply to your organization based on your assessment answers
A completed sample Verdict Card is available at /sample-report/. For a detailed explanation of how the four RROSH factors are assessed, see What Is RROSH?
OPC Breach Report — PIPEDA
The OPC Breach Report is filed with the Office of the Privacy Commissioner of Canada when a breach poses a real risk of significant harm under PIPEDA. Filing is mandatory when RROSH is present, and must be made as soon as feasible after the RROSH determination — in practice, days, not weeks.
ClearBreach generates the OPC report pre-populated with your breach facts, formatted to match the required fields under the Breach of Security Safeguards Regulations (SOR/2018-64). The draft is ready for review and submission via the OPC's online breach portal at priv.gc.ca.
What the OPC breach report form must contain
The Breach of Security Safeguards Regulations specify the mandatory fields for the OPC report:
- Description of the breach — circumstances of how the breach occurred
- Date or estimated date — when the breach occurred or was discovered
- Personal information involved — a description of the type and nature of the personal information affected
- Number of individuals affected — actual count or a reasonable estimate
- Steps taken or to be taken — measures your organization has taken or plans to take to reduce the risk of harm to affected individuals
- Individual notification steps — what you have done or plan to do to notify affected individuals directly
- Contact information — name and contact details for a person in your organization who can answer questions from the OPC
ClearBreach pre-populates all seven required fields from your assessment answers. You review, edit if needed, and submit.
For the full PIPEDA reporting framework, see PIPEDA Breach Reporting Requirements.
OIPC Alberta Breach Report — Alberta PIPA
The OIPC Alberta Breach Report is filed with the Office of the Information and Privacy Commissioner of Alberta when a breach poses RROSH under Alberta PIPA. Filing is mandatory when RROSH is present and must be made without unreasonable delay.
ClearBreach generates the OIPC Alberta report pre-populated and mirroring the April 2024 official OIPC Alberta breach notification form. It is generated automatically when your assessment indicates Alberta PIPA applies — typically when the breach involves personal information about Alberta residents collected in the course of commercial activity within the province.
What the OIPC Alberta breach notification form must contain
Alberta PIPA requires the following fields in the breach report to the OIPC:
- Description of the breach — how it occurred and what systems or processes were involved
- Date or approximate date — when the breach occurred
- Personal information involved — type and description of the personal information affected
- Number of individuals affected — actual count or estimate
- Steps to reduce risk of harm — containment and mitigation measures taken
- Individual notification steps — what you have done or will do to notify affected individuals directly
- Contact information — a person within your organization who can answer OIPC questions
When both Alberta PIPA and PIPEDA apply, ClearBreach generates separate OIPC Alberta and OPC reports automatically. Individual notification is generated once — a single letter satisfying both frameworks.
For the full Alberta PIPA framework, see Alberta PIPA Breach Notification Requirements.
Evaluate ClearBreach before your next breach. The six documents described on this page are generated automatically from a single 15-minute assessment — entirely in your browser. Join early access →
OIPC BC Voluntary Breach Report — BC PIPA
The OIPC BC Voluntary Breach Report is filed with the Office of the Information and Privacy Commissioner for BC. Unlike PIPEDA and Alberta PIPA, reporting to the OIPC BC under BC PIPA is voluntary — not legally mandatory. However, voluntary reporting demonstrates accountability and is considered best practice for any significant breach triggering BC PIPA obligations.
ClearBreach generates the OIPC BC report with voluntary reporting language when your assessment indicates BC PIPA applies — typically when the breach involves personal information about BC residents collected in the course of commercial activity within the province. The draft is ready for submission to the OIPC BC.
What the OIPC BC voluntary breach report should contain
The OIPC BC expects voluntary reports to include:
- Description of the breach — circumstances and how it occurred
- Date or approximate date — when the breach occurred
- Personal information involved — type and description, and number of individuals affected
- RROSH determination — your finding under BC PIPA
- Containment steps — measures taken to stop and contain the breach
- Individual notification steps — what you have done to notify affected BC individuals
- Contact information — your privacy officer or responsible person
If the breach also triggers PIPEDA mandatory reporting, the OPC and OIPC BC coordinate directly. Filing with both avoids the appearance of selective disclosure to only one regulator.
For the full BC PIPA framework, see BC PIPA Breach Reporting Requirements.
Individual Notification Letter
The Individual Notification Letter is sent directly to every person whose personal information was involved in a breach that poses RROSH. Direct individual notification is mandatory under PIPEDA, Alberta PIPA, and BC PIPA when RROSH is present. A general public notice or website announcement does not satisfy this obligation unless direct contact is not reasonably possible.
ClearBreach generates one letter covering all applicable frameworks. The letter is drafted in plain language and satisfies the required contents of each framework that applies to your organization.
What a privacy breach notification letter must include
Under PIPEDA, the individual notification must:
- Describe the circumstances of the breach
- Identify the type of personal information involved
- Describe steps your organization has taken to reduce risk of harm
- Describe steps the individual can take to protect themselves
- Include a toll-free number or other direct contact means for follow-up questions
Under Alberta PIPA, the individual notification must:
- Describe the breach and the personal information involved
- State the date or approximate date of the breach
- Describe steps taken or to be taken to reduce harm to the individual
- Include contact information so the individual can ask follow-up questions
Under BC PIPA, the individual notification must:
- Describe the circumstances of the breach
- Identify the personal information involved
- Describe steps taken to reduce harm
- Include contact information for the individual to ask questions
ClearBreach generates a single letter that satisfies the requirements of every applicable framework, identified from your assessment answers. You do not need to draft separate letters per jurisdiction.
Internal Incident Record
The Internal Incident Record is required for every breach of security safeguards — regardless of whether RROSH was present or any report was filed with a regulator. Under PIPEDA, the record must be retained for a minimum of 24 months. Alberta PIPA and BC PIPA also require organizations to maintain internal breach records. The OPC, OIPC Alberta, or OIPC BC may request access to this record.
ClearBreach generates the Internal Incident Record automatically at the end of every assessment, including assessments that result in a BELOW_RROSH finding.
What an internal breach record must document
- Date and description — when the breach occurred and what happened
- Nature of personal information involved — type, sensitivity, and estimated volume
- Cause — root cause of the breach, if known at the time of assessment
- Number of individuals affected — actual count or best estimate
- RROSH determination and reasoning — the finding (BELOW_RROSH or RROSH) and the factor-by-factor analysis supporting it
- Containment and remediation steps — actions taken to stop the breach, recover data, and prevent recurrence
- Regulatory reporting — whether a report was filed with the OPC, OIPC Alberta, and/or OIPC BC, and the date filed
- Individual notification — whether affected individuals were notified and when
The Internal Incident Record is your compliance file for the breach. Under PIPEDA, failure to maintain this record is an offence.
Which documents apply to your organization?
The documents ClearBreach generates depend on which frameworks apply to your organization and whether RROSH is present. The table below shows which documents are triggered under each scenario.
| Document | PIPEDA | Alberta PIPA | BC PIPA | RROSH required? |
|---|---|---|---|---|
| RROSH Verdict Card | Always | Always | Always | No — generated for every assessment |
| OPC Breach Report | ✓ | — | — | Yes — mandatory when RROSH present |
| OIPC Alberta Breach Report | — | ✓ | — | Yes — mandatory when RROSH present |
| OIPC BC Voluntary Breach Report | — | — | ✓ | Recommended — voluntary under BC PIPA |
| Individual Notification Letter | ✓ | ✓ | ✓ | Yes — mandatory when RROSH present |
| Internal Incident Record | Always | Always | Always | No — required for every breach |
ClearBreach identifies which frameworks apply to your organization based on your assessment answers — where your organization operates, whether commercial activity crosses provincial borders, and whether any federally regulated activities are involved. You do not need to pre-determine your framework obligations before starting the assessment.
Province-by-province document coverage
ClearBreach covers private-sector organizations in every Canadian province except Quebec. The applicable framework — and therefore the documents generated — depends on your province and whether your commercial activity is purely intraprovincial or crosses provincial or international borders.
Ontario, Saskatchewan, Manitoba, New Brunswick, Nova Scotia, Prince Edward Island, and Newfoundland and Labrador
These provinces have no substantially similar provincial privacy legislation. PIPEDA is the sole applicable framework for private-sector organizations in these provinces. ClearBreach generates three documents for a PIPEDA-only assessment:
- RROSH Verdict Card — every assessment
- OPC Breach Report — when RROSH is present (mandatory)
- Individual Notification Letter — when RROSH is present (mandatory)
- Internal Incident Record — every assessment (24-month retention required)
No provincial OIPC submission is required. There is one regulator: the OPC at priv.gc.ca.
Alberta
Alberta organizations are subject to Alberta PIPA for purely intraprovincial commercial activity, and also subject to PIPEDA when commercial activity crosses provincial or international borders. Most Alberta SMEs are subject to both. ClearBreach generates:
- RROSH Verdict Card — every assessment
- OPC Breach Report — when RROSH is present and PIPEDA applies (mandatory)
- OIPC Alberta Breach Report — when RROSH is present and Alberta PIPA applies (mandatory)
- Individual Notification Letter — when RROSH is present (one letter satisfying both frameworks)
- Internal Incident Record — every assessment
When both frameworks apply, ClearBreach generates separate OPC and OIPC Alberta reports automatically. For the full Alberta PIPA framework, see Alberta PIPA Breach Notification Requirements.
British Columbia
BC organizations are subject to BC PIPA for purely intraprovincial commercial activity, and also subject to PIPEDA when commercial activity crosses provincial or international borders. Most BC SMEs are subject to both. ClearBreach generates:
- RROSH Verdict Card — every assessment
- OPC Breach Report — when RROSH is present and PIPEDA applies (mandatory)
- OIPC BC Voluntary Breach Report — when RROSH is present and BC PIPA applies (recommended)
- Individual Notification Letter — when RROSH is present (one letter satisfying both frameworks)
- Internal Incident Record — every assessment
For the full BC PIPA framework, see BC PIPA Breach Reporting Requirements.
Quebec
ClearBreach does not currently cover Quebec. Quebec private-sector organizations are governed by Quebec's Act respecting the protection of personal information in the private sector (Law 25), which operates under a separate framework administered by the Commission d'accès à l'information (CAI). Law 25 breach reporting obligations differ materially from PIPEDA, Alberta PIPA, and BC PIPA. ClearBreach support for Law 25 is planned for a future release.
Generate all six documents automatically. ClearBreach's 15-minute browser-based assessment evaluates your breach under PIPEDA, Alberta PIPA, and BC PIPA simultaneously and produces every required compliance document — pre-populated, ready for review. Join early access →
Frequently asked questions
Is there a PIPEDA breach notification template?
ClearBreach generates a pre-populated OPC breach report draft — the functional equivalent of a PIPEDA breach notification template — directly from your assessment answers. Rather than a blank template you fill out manually, the report is auto-populated with your breach facts and formatted to match the OPC's required fields under the Breach of Security Safeguards Regulations. The same assessment simultaneously generates an OIPC Alberta submission, OIPC BC voluntary report, individual notification letter, and internal incident record.
What does a PIPEDA breach report form include?
The OPC breach report under PIPEDA must include: a description of the circumstances of the breach; the date or estimated date; a description of the personal information involved; the number of individuals affected or an estimate; the steps your organization has taken or will take to reduce risk of harm; the steps taken or to be taken to notify affected individuals; and contact information for a person in your organization who can answer OPC questions. ClearBreach pre-populates all required fields from your 15-minute assessment.
What goes in a privacy breach notification letter in Canada?
Under PIPEDA, the individual notification letter must describe the circumstances of the breach, identify the type of personal information involved, describe steps your organization has taken to reduce harm, describe steps the individual can take to protect themselves, and include contact information for follow-up questions. Alberta PIPA and BC PIPA have the same core requirements. ClearBreach generates a single letter covering all applicable frameworks from your assessment.
What is an internal breach record under PIPEDA?
PIPEDA requires organizations to maintain an internal record of every breach of security safeguards — regardless of whether it reached the RROSH threshold — for a minimum of 24 months. The record must document: the date and description of the breach, the nature of the personal information involved, the cause (if known), the number of individuals affected, the RROSH determination and reasoning, containment and remediation steps, and whether the breach was reported to the OPC and individuals notified. ClearBreach generates this record automatically.
What does an RROSH assessment tool produce?
An RROSH assessment tool evaluates the four RROSH factors — sensitivity of personal information, probability of misuse, number of individuals affected, and whether data was recovered — and produces a binary finding: BELOW_RROSH (no mandatory reporting obligations) or RROSH (mandatory reporting obligations apply). ClearBreach runs this assessment under PIPEDA, Alberta PIPA, and BC PIPA simultaneously and produces a Verdict Card showing the finding and specific obligations triggered under each applicable framework, plus five additional compliance documents.
This guide is not legal advice. It provides practical guidance on Canadian privacy breach obligations. Consult a qualified privacy lawyer before submitting reports to regulators.
Run your formal assessment now
ClearBreach generates your verdict and all required documents automatically — in under 15 minutes.
Get early access