Unauthorized Employee Access — What Canadian Organizations Must Do
By Yong Du · Updated June 13, 2026
When a current or former employee accesses personal information beyond their authorization, PIPEDA and PIPA obligations apply regardless of whether disciplinary action is also taken.
⚡ In an active breach right now?
Use the quick reference guide — built for use during an incident.
This playbook is educational and does not constitute legal advice. It is grounded in the text of PIPEDA, Alberta PIPA, and BC PIPA and published guidance from the OPC, OIPC Alberta, and OIPC BC. If your situation involves regulatory investigation, litigation risk, or circumstances not addressed here, engage a qualified privacy lawyer.
Which laws apply
| Jurisdiction | Applies when | Regulator |
|---|---|---|
| PIPEDA | The personal information accessed belongs to individuals in provinces without substantially similar legislation, or the organization conducts interprovincial commercial activity | Office of the Privacy Commissioner of Canada (OPC) — priv.gc.ca |
| Alberta PIPA | Personal information about Alberta residents or employees was accessed without authorization | OIPC Alberta — oipc.ab.ca / breachnotice@oipc.ab.ca |
| BC PIPA | Personal information about BC residents or employees was accessed without authorization | OIPC BC — oipc.bc.ca |
For most organizations, PIPEDA and one or both provincial statutes apply simultaneously. A separate notification is required for each applicable regulator if RROSH is determined.
What makes this scenario different
In most breach scenarios, the threat is external — a ransomware group, a phishing attacker, a vendor's compromised system. In an unauthorized employee access scenario, the person who accessed the information was inside your organization, may still be there, and already had legitimate access to some systems and records.
This creates three complications that do not exist in external breach scenarios.
The access boundary is invisible without audit logs. An external attacker who gets into your system either did or did not access specific records — and forensics can often determine which. An employee who accesses records beyond their authorization does so through the same interface, with the same credentials, and through the same systems they use every day. Without audit logging, you cannot determine what they actually viewed. Organizations that discover unauthorized employee access and have no audit logs face a RROSH assessment that cannot be resolved — which defaults to treating the worst-case scope as the likely scope.
The HR response and the privacy breach response are parallel obligations, not sequential ones. The most common mistake in this scenario is treating the discovery as an HR matter — suspending the employee, beginning an investigation, consulting legal counsel — while the privacy breach assessment waits. PIPEDA and PIPA do not wait for HR processes. Both run at the same time.
Former employee access is a credential management failure, not a different type of breach. When a former employee logs in because offboarding did not revoke their credentials, the breach has two components: the credential management failure (an organizational safeguard gap) and the unauthorized access event itself (the breach). Both require response. The cause does not change the obligation.
Immediate steps — this scenario specifically
1. Revoke access immediately — do not wait for HR confirmation. If a current employee is the subject: suspend their access to all systems that hold personal information immediately — before the employee is informed of the investigation. If they retain access during an investigation, they may delete audit log evidence or continue accessing records.
If a former employee: revoke every remaining credential at once. Conduct a full offboarding audit: email accounts, VPN, cloud platforms, third-party SaaS tools, shared passwords, physical access cards.
2. Preserve audit logs before doing anything else. Audit logs are your primary evidence of what was accessed, when, and for how long. Before any system changes, confirm that logs are preserved. If logs are held by a third-party platform (Google Workspace, Microsoft 365, a CRM), ensure log retention settings will not auto-delete them. Some platforms delete logs after 30–90 days by default.
3. Do not inform the employee that a breach review is under way until access is revoked. Informing the employee before their access is revoked creates risk of log deletion, further access, or exfiltration. Revoke access first.
4. Designate an incident lead separate from the HR lead. The HR investigation and the privacy breach assessment need separate leads. The HR process focuses on the employee. The privacy breach assessment focuses on the affected individuals whose information was accessed.
What drives RROSH in this scenario
Factors that push toward RROSH:
- Audit logs show the employee accessed records beyond their role for an extended period or accessed a large number of records
- Evidence of exfiltration: files downloaded, emailed to a personal account, copied to a USB drive, or printed
- The employee had an apparent motivation to misuse the information — departing to a competitor, personal relationship with an affected individual, financial incentive
- The information accessed is sensitive: health records, financial data, SINs, passwords, information about minors, or records that could enable identity theft
- The employee accessed records belonging to identifiable individuals who could be harmed — a specific client, a coworker in a vulnerable situation, a public figure
Factors that push against RROSH:
- Audit logs are complete and show only brief, limited access with no exfiltration activity
- The information accessed was low-sensitivity — basic contact information with no financial or health data
- The access was immediately detected and the employee's access was revoked before further access occurred
- The employee's account is credible and consistent with audit log evidence showing curiosity rather than targeted misuse
The no-audit-log problem: If you have no audit logs, you cannot determine what was accessed. In the absence of evidence establishing a limited scope, RROSH assessment must proceed on the assumption that the employee had access to everything they could have accessed within their system permissions — which may be a broad scope. This is not a reason to delay the assessment; it is a reason to treat the scope conservatively and conduct the assessment on that basis.
Likely verdict range
| Scenario | Typical verdict |
|---|---|
| Employee accessed records outside their role; audit logs confirm brief viewing, no exfiltration, low-sensitivity data | BELOW_RROSH — but document the assessment and reasoning |
| Employee accessed client financial records, HR files, or health information outside their role; exfiltration not confirmed but also not ruled out | RROSH — probability of misuse cannot be sufficiently reduced |
| Employee departing to a competitor accessed client list, pricing data, or business-sensitive personal records | RROSH — motivation and sensitivity both elevated |
| Former employee with live credentials logged in after termination; audit logs confirm limited access to non-sensitive records | Case-by-case — assess sensitivity and scope |
| Former employee with live credentials accessed records over weeks or months without detection | RROSH — extended unauthorized access with no detection significantly increases probability of misuse |
| No audit logs; employee had broad system permissions | Assess on worst-case scope — RROSH likely unless information held was uniformly low-sensitivity |
Scenario-specific obligations and complications
If RROSH is determined:
- OPC notification (PIPEDA): Notify the OPC as soon as feasible after determining RROSH. Do not wait for the HR investigation to conclude.
- OIPC Alberta notification (AB PIPA): Notify the OIPC Alberta without unreasonable delay if Alberta residents' information was accessed.
- OIPC BC notification (BC PIPA): Notify the OIPC BC as soon as reasonably possible if BC residents' information was accessed.
- Individual notification: Notify each affected individual directly. This is notification to the people whose records were accessed — not notification to the employee who did the accessing.
If RROSH is not determined:
- No regulator notification required.
- No individual notification required.
- Internal breach record required — document what was accessed, your RROSH assessment, and your reasoning.
- Address the underlying access control gap regardless of RROSH determination.
BC PIPA — voluntary reporting option. Under BC PIPA, organizations may voluntarily report a breach to the OIPC BC even where RROSH is not present. For cases involving BC residents where RROSH is borderline, voluntary reporting demonstrates good faith.
For Ontario organizations. Ontario has no provincial private-sector privacy legislation — PIPEDA is the applicable framework. Report to the OPC at priv.gc.ca. No separate provincial regulator report is required. See Ontario Data Breach Reporting Requirements.
Complication — the affected individuals include coworkers. In many unauthorized access scenarios, the records accessed belong to other employees — coworkers whose HR files, performance reviews, medical accommodation records, or personal information was viewed. Individual notification obligations apply to those coworkers on the same basis as to clients or customers. This creates an internal HR and workplace dynamic that must be managed carefully — but it does not reduce the notification obligation.
Complication — the employee is also a suspect in a legal matter. If the unauthorized access is part of a broader investigation — potential theft of trade secrets, a harassment matter, or a criminal referral — legal counsel needs to be involved. The privacy breach assessment still runs. The two processes are parallel, not sequential. Evidence preservation may require different handling than a standard breach response.
Documents you will need
Regardless of RROSH determination:
- Internal breach record: date discovered, who accessed what, scope of access based on audit logs, RROSH assessment outcome and reasoning, actions taken
- Audit log exports — preserve before any system changes
If RROSH is determined, also:
- OPC breach report (PIPEDA)
- OIPC Alberta breach report (AB PIPA) — if Alberta individuals affected; email breachnotice@oipc.ab.ca
- OIPC BC breach report (BC PIPA) — if BC individuals affected
- Individual notification letters — for each person whose records were accessed
ClearBreach generates the regulator reports and individual notification letters automatically from your assessment answers.
Common mistakes in this scenario
Treating it as an HR matter and not starting the breach assessment. The employee's conduct is an HR issue. The exposure of other individuals' personal information is a privacy breach. Both require a response. Organizations that focus exclusively on disciplining the employee and never conduct a RROSH assessment are non-compliant regardless of the outcome of the HR process.
Not revoking access before informing the employee. Telling an employee they are under investigation for unauthorized access while they still have system access allows them to delete records, escalate access, or continue the breach. Revoke access first. Inform the employee afterward through HR.
Not preserving audit logs immediately. Audit logs are evidence. Many organizations assume logs are retained indefinitely — they are not. Cloud platforms, CRMs, and email systems often have default log retention of 30–90 days. Failure to preserve logs before they auto-delete makes RROSH assessment impossible and creates a regulatory exposure that cannot be recovered.
Assuming the employee's stated motivation resolves the assessment. "They said they were just curious" is the most common explanation. It may be true. It does not replace an evidence-based RROSH assessment. Document what the employee said and what the audit logs show — if they are consistent, the explanation carries weight. If they are not consistent, the evidence governs.
Skipping individual notification because the information was "only viewed." Viewing personal information without authorization is a breach of security safeguards. RROSH assessment does not require confirmed exfiltration — it requires assessment of the real risk of significant harm. Confirmed exfiltration increases that risk; the absence of confirmed exfiltration does not eliminate it.
Failing to close the underlying access control gap. After the immediate response, the offboarding failure or permission over-provisioning that enabled the breach must be corrected. Regulators expect organizations to address root causes — a second unauthorized access incident involving the same gap is significantly harder to defend.
MSP note
If you are an MSP and an employee at your organization accessed a client's data without authorization:
The client organization holds the data and is the accountable party for PIPEDA and PIPA purposes. Your obligation is to notify the client immediately and completely — including what was accessed, when, and what steps you have taken. Do not manage the client's breach notification on their behalf without their explicit direction.
If you are an MSP managing this response for a client whose employee accessed records without authorization, assist the client with the RROSH assessment and notification. Run a ClearBreach assessment under your MSP account for the affected client organization.
Ready to assess this breach? ClearBreach walks you through your unauthorized access scenario, applies PIPEDA, Alberta PIPA, and BC PIPA simultaneously, and generates your assessment verdict, regulator reports, and individual notification letters automatically — in under 15 minutes. Start your assessment →
This playbook covers PIPEDA, Alberta PIPA, and BC PIPA obligations for private-sector organizations. If your organization handles personal health information under provincial health legislation — such as Alberta's Health Information Act or BC's E-Health (Personal Health Information Access and Protection of Privacy) Act — unauthorized employee access to that information may trigger additional obligations under those statutes that are not covered here.
Related guides
- PIPEDA Breach Reporting Requirements — full coverage of the federal RROSH threshold, OPC reporting obligations, individual notification requirements, and the 24-month record-keeping rule
- Alberta PIPA Breach Notification — Alberta-specific obligations, OIPC Alberta submission process, and simultaneous notification
- BC PIPA Breach Reporting — BC-specific obligations, voluntary reporting option, and OIPC BC submission guidance
- Ontario Data Breach Reporting Requirements — PIPEDA as Ontario's applicable framework
- What Is RROSH? — the real risk of significant harm standard explained
- Unauthorized Employee Access — Quick Reference — checklist for use during the incident
Frequently asked questions
An employee accessed client records they were not authorized to view — is this a reportable breach?
It depends on RROSH — real risk of significant harm. The access itself is a breach of security safeguards under PIPEDA regardless of RROSH. Whether you must notify the OPC and affected individuals depends on what was accessed, how sensitive it was, whether evidence of exfiltration exists, and what the employee's apparent motivation was. The internal documentation obligation applies in all cases. Do not treat this as an HR matter only — the privacy breach assessment runs in parallel with any disciplinary process.
A former employee still had access to our systems after they left and logged in — what are my obligations?
This is a breach of security safeguards — both a credential management failure and an unauthorized access event. Start your RROSH assessment immediately based on what audit logs show the former employee accessed. Revoke all remaining credentials at once. The fact that the access resulted from an offboarding failure does not reduce your obligations. If RROSH is present, you notify the applicable regulator and affected individuals on the same timeline as any other breach.
Can I wait until the HR or legal investigation is complete before deciding whether to report?
No. The privacy breach assessment and the HR or legal process run in parallel — they are not sequential. PIPEDA requires notification as soon as feasible after determining RROSH is present. An ongoing internal investigation is not a recognized basis for delaying notification. Assess RROSH on what you know now, notify if the threshold is met, and update affected individuals if material new information emerges from the investigation.
The employee says they were just curious and did not do anything with the information — does that affect RROSH?
Stated motivation is one factor in the RROSH assessment, but it is not determinative. An employee who claims curiosity and whose audit logs show brief views of records with no exfiltration activity presents a lower probability of misuse than one whose logs show extended access, file downloads, or forwarding to a personal email. What the employee says they intended does not override what the evidence shows they did. Document the employee's account, document the audit log evidence, and assess RROSH on the full picture.
Ready to assess this breach?
ClearBreach generates your assessment verdict and all required documents automatically — in under 15 minutes.
Get early access