Physical Records Breach — What Canadian Organizations Must Do

Which laws apply

Jurisdiction	Applies when	Regulator
PIPEDA	The physical records contained personal information used in commercial activity; or the affected individuals are in provinces without substantially similar legislation (Ontario, Manitoba, New Brunswick, and others)	Office of the Privacy Commissioner of Canada (OPC) — priv.gc.ca
Alberta PIPA	Physical records containing personal information about Alberta residents or employees were lost, stolen, or improperly destroyed	OIPC Alberta — oipc.ab.ca / breachnotice@oipc.ab.ca
BC PIPA	Physical records containing personal information about BC residents or employees were lost, stolen, or improperly destroyed	OIPC BC — oipc.bc.ca

For most organizations, PIPEDA and one or both provincial statutes apply simultaneously. A separate notification is required for each applicable regulator if RROSH is determined.

---

What makes this scenario different

Every other breach scenario in these playbooks involves digital information — compromised credentials, exposed databases, misconfigured cloud storage. A physical records breach involves paper: files in a filing cabinet, boxes of records in transit, documents on a desk, paper recycling bins, or material handed to a third-party destruction service.

Three features distinguish this scenario.

The scope of what was accessed is often unknowable. In a digital breach, forensics can sometimes determine which files were opened, copied, or exfiltrated. In a physical breach, there is typically no way to know which specific pages a person read, copied, or took. If a filing cabinet is broken into, you know which files it contained — but not which ones were touched. If a box of records goes missing in transit, you know what should have been in the box — but not what condition the seal was in or whether anyone looked inside. Your RROSH assessment must account for the worst-case scope of what was accessible, not the optimistic case.

Improper destruction is a common and underappreciated cause. Many physical records breaches do not result from external theft. They result from organizational failures: paper recycling bins in the hallway containing unshredded client files, documents put in regular trash, a strip-cut shredder used for sensitive records, or a document destruction service that issues certificates without actually destroying the material. These breaches are caused by the organization's own practices, which affects both the RROSH assessment and the remediation requirements.

The records may have been accessible for a longer period than the incident suggests. A filing cabinet that was left unlocked for a period is not a single moment of exposure — it is an extended window of potential access by anyone with physical access to the space. Determining the actual exposure window often requires reviewing access logs (if a building security system exists), interviewing staff, and reconstructing when the gap was created and when it was closed.

---

Immediate steps — this scenario specifically

1. Secure the remaining records immediately. If the breach involves a filing cabinet, records room, or physical space, ensure that space is secured and that no further unauthorized access is possible. Change locks if keys are missing. If documents are missing, determine what the filing cabinet or container held and produce a complete inventory.

2. Determine the scope of the physical breach. For a theft: what area was entered, what containers were accessed, what files were present? For lost records in transit: what was in the shipment, what carrier was used, and at what point did the records go missing? For improper destruction: what documents were affected, what destruction method was used, and when did it occur? For unauthorized viewing: who had access to the physical space, for what period, and what records were present?

3. Check whether a physical access record exists. Some organizations have building security systems, keycard logs, or CCTV that can narrow the exposure window or identify who entered the space. If these records exist, preserve them immediately — many systems overwrite footage after 30–72 hours.

4. Inventory the personal information that was in the affected records. List the categories of personal information in the lost, stolen, or improperly destroyed records: names, addresses, SINs, dates of birth, health information, financial records, signatures. Identify whose records they were (clients, employees, patients) and how many individuals are affected. This inventory is the foundation of your RROSH assessment.

5. Do not issue any public statement yet. Complete your RROSH assessment before communicating externally. If the incident involves a theft, cooperate with police and document the police report number — but do not conflate the police investigation with your regulatory obligations, which run on a separate timeline.

---

What drives RROSH in this scenario

Factors that push toward RROSH:

• The records contained sensitive categories: health information, SINs, financial records (banking details, account numbers, credit card information), government-issued ID information, or information about minors
• The records contained enabling combinations: name + date of birth + address + SIN creates identity theft risk even if each field seems routine in isolation
• The breach involved deliberate theft — a targeted break-in is evidence of intent, not opportunistic access
• The records were accessible to an unknown number of people for an extended period (unlocked storage room, recycling bin in a common area)
• Improper destruction using a strip-cut shredder for sensitive documents — material can be reassembled
• Records were placed in regular trash and may have been accessed before pickup
• The destruction company has not provided a certificate of destruction or cannot confirm the records were destroyed

Factors that push against RROSH:

• The records contained only non-sensitive administrative information: appointment dates, general correspondence with no personal identifiers beyond name
• The records were in a locked container within a secured building and the breach involved no confirmed unauthorized access
• The loss was a single document with limited personal information and brief, incidental exposure
• The destruction was confirmed by a certified destruction service using a secure method with a certificate of destruction, and the incident was a procedural error that did not result in uncontrolled access

The scope-of-access problem: Physical breach RROSH assessments frequently must rely on worst-case scope because actual access cannot be determined. If a filing cabinet held 200 client files and was accessible to an unknown party, the assessment should treat all 200 files as potentially accessed — not attempt to estimate how many files a person could realistically have read in the time available. Regulators do not expect certainty; they expect a conservative and honest assessment.

---

Likely verdict range

Scenario	Typical verdict
Client or patient files containing health information, SINs, or financial data were stolen or are missing	RROSH — sensitive data with unknown access scope
Employee records including SINs, banking details, or compensation information were lost or stolen	RROSH — financial data combination
Documents containing SINs or financial records were placed in regular trash or recycled without shredding	RROSH — uncontrolled public access
Records were shredded using a strip-cut shredder	RROSH likely — material is reassemblable; treat as inadequate destruction
Client files containing name, address, and appointment history only were briefly left accessible	Case-by-case — depends on volume, duration of exposure, and who had access
A single non-sensitive document was briefly visible to one other person before being retrieved	Likely BELOW_RROSH — but document the incident
Records held by a certified destruction service were destroyed but no certificate was issued	Case-by-case — assess based on what the records contained and what confirmation exists

---

Scenario-specific obligations and complications

If RROSH is determined:

• OPC notification (PIPEDA): Report to the Office of the Privacy Commissioner of Canada as soon as feasible after determining RROSH. Use the OPC breach report form at priv.gc.ca.
• OIPC Alberta notification (AB PIPA): Notify the OIPC Alberta without unreasonable delay. Email breachnotice@oipc.ab.ca. Use the official OIPC Alberta notification form.
• OIPC BC notification (BC PIPA): Notify the OIPC BC through their official breach notification process at oipc.bc.ca.
• Individual notification: Notify each affected individual directly. The notification must describe what happened, what type of records were involved, what information they contained, what steps the organization is taking, and what individuals can do to protect themselves. For a theft involving SINs or financial data, advise individuals to place a fraud alert with Equifax and TransUnion Canada and to monitor their accounts.

If RROSH is not determined:

• No regulator notification required under PIPEDA or Alberta PIPA.
• No individual notification required.
• Internal breach record required — document the physical incident, the records inventory, the RROSH assessment and reasoning, and any remediation steps taken.
• Review the physical safeguards that failed and document the corrective action.

BC PIPA — voluntary reporting option. Under BC PIPA, organizations may voluntarily report to the OIPC BC even where RROSH is not present. For physical breaches involving BC residents where destruction was improper but access cannot be confirmed, voluntary reporting demonstrates good faith. See BC PIPA Breach Reporting.

For Ontario organizations. Ontario has no provincial private-sector privacy legislation — PIPEDA is the applicable framework. Report to the OPC at priv.gc.ca. No separate provincial regulator report is required. See Ontario Data Breach Reporting Requirements.

Complications specific to this scenario:

Records are missing but the cause is unknown — theft versus misplacement. An organization discovers a box of files is missing and cannot determine whether it was stolen, misplaced internally, or accidentally discarded. Treat this as a breach and conduct your RROSH assessment based on the worst-case scenario: that the records were accessed by an unauthorized person. Do not wait to resolve the internal uncertainty before assessing — if RROSH is present on the worst-case assumption, notify. Document your investigation into the cause and supplement your breach record as facts develop.

The police are investigating — can we wait for the investigation to conclude? No. Your PIPEDA and PIPA obligations are not suspended by a police investigation. A police report is relevant context for your breach record and may be useful for affected individuals (report numbers for fraud alerts), but the investigation timeline is not the reporting timeline. Assess RROSH on what you know and notify if the threshold is met. Update affected individuals if the investigation yields new information.

Records were mixed with general recycling or trash before the error was caught. If sensitive records were placed in recycling or general trash and you recovered them before collection, assess the period of exposure and who had physical access to the recycling or trash during that window. If collection already occurred, treat the records as having been accessible to an uncontrolled group (waste processing workers, people who encountered the bin before collection) and assess RROSH accordingly.

The records were in transit with a courier or shipping company. File a missing shipment claim with the carrier immediately and document the claim number. The carrier's investigation does not satisfy your RROSH assessment. Assess based on what the shipment contained and treat the records as potentially accessed by an unknown party. Your contract with the courier may give you a claim for damages — that contractual matter is separate from your regulatory obligations to affected individuals.

Third-party destruction service — records were not destroyed as contracted. If a document destruction company failed to destroy records, misplaced a shipment, or cannot provide a certificate of destruction, you remain the accountable organization. Contact the destruction company immediately in writing and request a full account of what happened. Assess RROSH based on what the records contained and the realistic likelihood of unauthorized access during the period they were outside your control. Document all correspondence with the destruction company.

---

Documents you will need

Regardless of RROSH determination:

• Internal breach record: date discovered, nature of the physical breach (theft, loss, improper destruction, unauthorized access), records inventory, number of individuals affected, RROSH assessment and outcome, remediation steps taken
• Police report number (if applicable)
• Certificate of destruction (if destruction company was involved and certificate was issued)

If RROSH is determined, also:

• OPC breach report (PIPEDA)
• OIPC Alberta breach notification (AB PIPA) — if Alberta individuals affected; email breachnotice@oipc.ab.ca
• OIPC BC breach notification (BC PIPA) — if BC individuals affected; submit through OIPC BC's process at oipc.bc.ca
• Individual notification letters — one per affected individual or one per household

ClearBreach generates the regulator reports and individual notification letters automatically from your assessment answers.

---

Common mistakes in this scenario

Treating a physical breach as less serious than a digital breach. Regulators apply the same RROSH standard to paper records as to digital ones. A filing cabinet full of client SINs and health information that is stolen is not less serious than a database breach of the same information. The obligation to notify is identical.

Assuming the records were not accessed because they have not appeared elsewhere. The absence of evidence that stolen or lost records have been misused does not mean RROSH is absent. RROSH is assessed at the time of the breach based on the probability of harm — not after the fact based on whether harm has materialized. By the time harm is detectable, notification is already overdue.

Using a strip-cut shredder for sensitive records and treating it as secure destruction. Strip-cut shredders are not adequate for documents containing SINs, financial records, or health information. This is a common gap in SMB physical records practices. If strip-cut shredding has been the standard practice for sensitive documents, a review of what has been processed through it and when is warranted.

Not maintaining a records inventory. When a filing cabinet or box of records goes missing, organizations often cannot quickly determine what it contained — whose records, what categories of information, how many individuals. Without a records inventory, the RROSH assessment is delayed and likely overstated. A basic inventory of what records are held, where they are stored, and how they are destroyed is both a privacy program requirement and a practical response tool.

Waiting for the police investigation before notifying regulators. Police investigations of document theft can take weeks or months, or may not result in charges. Your PIPEDA and PIPA notification timelines are not tied to the police investigation timeline. Assess and notify on your own schedule.

Failing to notify individuals after a destruction failure. Organizations sometimes discover that a document destruction service failed to destroy records but decide not to notify because "the records probably weren't accessed." Probable non-access is not the RROSH standard — the standard is whether RROSH is present given what the records contained and what is known about their disposition. If the destruction company cannot confirm what happened to the records, treat the worst case as the operative assumption.

---

MSP note

If you manage IT infrastructure for clients but this incident involves physical records at a client's location:

The physical records breach is outside your MSP scope in terms of technical response, but you may be involved if the physical records included login credentials, printed system access details, or paper copies of data your systems hold. If the physical breach creates a risk that your client's digital systems are also compromised — printed passwords, access cards, network diagrams — assess the digital exposure as a separate concurrent breach and follow the appropriate digital breach playbook in addition to this one.

If you operate a physical document management or destruction service for clients, a breach of records in your custody makes you the vendor in this scenario. Your obligations run in two directions: your own regulatory notification as an organization that experienced a breach, and your contractual obligation to notify affected clients immediately.

---

Ready to assess this breach? ClearBreach walks you through your physical records breach scenario, applies PIPEDA, Alberta PIPA, and BC PIPA simultaneously, and generates your assessment verdict, regulator reports, and individual notification letters automatically — in under 15 minutes. Start your assessment →

---

This playbook covers PIPEDA, Alberta PIPA, and BC PIPA obligations for private-sector organizations. If your organization handles personal health information under provincial health legislation — such as Alberta's Health Information Act or BC's E-Health (Personal Health Information Access and Protection of Privacy) Act — additional obligations may apply when physical health records are lost, stolen, or improperly destroyed. Those obligations are not covered here.

---

Related guides

• PIPEDA Breach Reporting Requirements — when and how to notify the OPC under PIPEDA
• Alberta PIPA Breach Notification — AB PIPA notification obligations and OIPC process
• BC PIPA Breach Reporting — BC PIPA notification obligations and OIPC BC process
• What Is RROSH? — the real risk of significant harm standard explained
• Physical Records Breach — Quick Reference — checklist for use during the incident