What Is RROSH? Real Risk of Significant Harm Under PIPEDA Explained

What RROSH means and why it matters

When a privacy breach occurs, the most important legal question a Canadian organization must answer is: does this breach pose a Real Risk of Significant Harm?

The answer determines whether the breach must be:

• Reported to the Office of the Privacy Commissioner of Canada (OPC) under PIPEDA
• Reported to the OIPC Alberta under Alberta PIPA
• Voluntarily reported to the OIPC BC (recommended) under BC PIPA
• The affected individuals notified directly

Every privacy breach — regardless of RROSH — must be documented internally. But only breaches that reach the RROSH threshold trigger mandatory reporting and individual notification.

RROSH is not a high bar that protects organizations from having to report minor incidents. For most breaches involving sensitive personal information — health records, financial data, social insurance numbers, passwords, or contact information combined with other sensitive data — RROSH will be present.

---

The legal definition of significant harm

The Breach of Security Safeguards Regulations (PIPEDA) define significant harm to include:

• Bodily harm — physical injury resulting from the breach or its consequences
• Humiliation — public embarrassment or personal shame resulting from disclosure of sensitive information
• Damage to reputation or relationships — loss of standing in the community, damaged personal or professional relationships
• Loss of employment, business, or professional opportunities — job loss, contract termination, or professional licensing issues
• Financial loss — direct financial theft, fraudulent transactions, or costs incurred by the individual as a result of the breach
• Identity theft — misuse of personal information to impersonate the individual
• Negative effects on credit records — fraudulent credit applications, unpaid accounts in the individual's name
• Damage to or loss of property — physical property damage caused by information disclosure

The harm does not need to have already occurred. RROSH asks whether there is a real risk — a genuine possibility — that any of these harms could result from the breach.

Alberta PIPA and BC PIPA use the same definition of significant harm.

---

The four factors for assessing RROSH

No single fact determines RROSH. The assessment examines four factors together:

Factor 1: Sensitivity of the personal information

Not all personal information carries equal risk. The more sensitive the information involved in a breach, the higher the probability that harm could result from its disclosure.

High sensitivity — information that almost always elevates RROSH probability when compromised:

• Social Insurance Numbers (SINs)
• Financial account numbers, PINs, passwords, and credit card data
• Health and medical information
• Biometric data
• Government-issued identification numbers
• Information about minors

Moderate sensitivity — information that elevates RROSH probability depending on context:

• Full name combined with date of birth
• Home address combined with other identifying information
• Employment information
• User credentials (email/password combinations)

Lower sensitivity — information less likely on its own to create significant harm risk:

• Name and employer alone (publicly available)
• General demographic information
• Non-sensitive business contact information

Important: sensitivity is not assessed in isolation. A combination of lower-sensitivity fields can still produce RROSH if the combination enables identity theft, targeted fraud, or other harm. Assess the full picture of what was exposed.

Factor 2: Probability that the information has been or will be misused

This factor examines the likelihood that the personal information will actually be used to harm an individual.

Higher probability of misuse:

• Intentional attack by a threat actor (ransomware, targeted intrusion, insider theft)
• Confirmed exfiltration of data from the environment
• Information sold or posted on dark web marketplaces
• Breach by a known bad actor or organized criminal group

Lower probability of misuse:

• Accidental send to wrong recipient within the same organization
• Paper records lost in transit, no indication of interception
• System vulnerability accessed but no evidence of data extraction
• Prompt recovery of lost device with evidence it was not accessed

The key question is: given who had access and what their apparent intent was, how likely is it that the personal information will be used to harm someone?

Factor 3: Number of individuals affected

Scale matters, but it is not the only consideration. A breach affecting thousands of individuals with low-sensitivity information may not reach RROSH. A breach affecting one individual with highly sensitive information (a health record, a SIN) may clearly meet the threshold.

As scale increases — particularly for sensitive data — the aggregate risk of harm escalates rapidly. A breach exposing the SINs and financial data of 500 employees carries a near-certain RROSH determination.

Factor 4: Whether the information has been recovered

Recovery of compromised information reduces — but does not eliminate — the probability of harm.

Strong recovery (reduces RROSH probability):

• Device recovered promptly with verified evidence it was not accessed
• Misdirected email recalled immediately with confirmation of deletion by recipient
• Database access revoked before exfiltration is confirmed

Weak or no recovery (increases RROSH probability):

• Ransomware attack — data is presumed exfiltrated in most cases
• Stolen device not recovered
• Credentials compromised in a third-party breach — still circulating
• No technical confirmation of whether data was accessed

---

How RROSH applies to common breach scenarios

Ransomware attacks

Ransomware almost always triggers RROSH when personal information was present on affected systems. Access is confirmed (the attacker was inside the environment), intent is malicious, and exfiltration is common. Expect a HIGH or CRITICAL verdict.

Business email compromise / phishing

Depends on what was in the compromised mailbox. A mailbox containing health records, financial data, or SINs — HIGH probability of RROSH. A mailbox containing only internal operational communications — lower probability. Always review the full contents of the compromised account before concluding RROSH is absent.

Lost or stolen device

An unencrypted device containing sensitive personal information — RROSH almost certainly present. An encrypted device with strong credential management — much lower probability. Full-disk encryption is the key mitigating factor.

Third-party vendor breach

A vendor breach triggers RROSH assessment as if it were a direct breach of your organization. The sensitivity of the data you provided to the vendor and the nature of their breach determine RROSH. You are responsible for the personal information regardless of who holds it.

Accidental disclosure (wrong recipient)

Probability of RROSH depends on: how sensitive the information was, whether it was recovered, who received it, and whether there is evidence it was reviewed or forwarded. A misdirected email containing a single name and address — lower probability. A misdirected file containing hundreds of customers' health records — RROSH almost certainly present.

---

How ClearBreach evaluates RROSH

ClearBreach's rules engine was designed specifically around the RROSH assessment framework. The 18–23 question wizard gathers the breach facts that drive each of the four RROSH factors: the type and sensitivity of personal information involved, evidence of access and probable intent, scale of the breach, and recovery status.

The engine evaluates your answers against 22 rules covering PIPEDA, Alberta PIPA, and BC PIPA simultaneously. The result is a scored verdict — MINIMAL, LOW, MEDIUM, HIGH, or CRITICAL — with a clear determination of whether RROSH is present and which reporting obligations are triggered.

The entire assessment runs in your browser. No breach details are transmitted to ClearBreach servers.