When must a Canadian organization notify the OPC of a privacy breach under PIPEDA?

Under the Personal Information Protection and Electronic Documents Act (PIPEDA), S.C. 2000, c. 5, s.10.1(1), and the Breach of Security Safeguards Regulations (SOR/2018-64), an organization subject to PIPEDA must notify the Office of the Privacy Commissioner of Canada (OPC) of any breach of security safeguards involving personal information that creates a 'real risk of significant harm' to individuals, as soon as feasible after determining the breach has occurred. There is no prescribed number of days — 'as soon as feasible' means without unreasonable delay, and factors causing delay must be documented. Under Canada law, Canada Business Corporations Act (R.S.C. 1985, c. C-44), parties should seek independent legal advice from a qualified lawyer to confirm compliance with all applicable requirements. Under the Canada Business Corporations Act (R.S.C. 1985, c. Forms-legal.com provides this template as a starting point for Canada-compliant documentation.

What is 'real risk of significant harm' under PIPEDA?

Under the Breach Regulations s.3, the assessment of 'real risk of significant harm' must consider: (1) the sensitivity of the personal information involved (SINs, financial account details, health information, and passwords are highly sensitive); and (2) the probability that the information has been, is being, or will be misused. 'Significant harm' includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, financial loss, identity theft, negative effects on credit records, and damage to property. The risk must be real — not merely theoretical — but does not need to be probable. Under Canada law, Canada Business Corporations Act (R.S.C. 1985, c. C-44), parties should seek independent legal advice from a qualified lawyer to confirm compliance with all applicable requirements. Under the Canada Business Corporations Act (R.S.C. 1985, c. Forms-legal.com provides this template as a starting point for Canada-compliant documentation.

What are the organization's record-keeping obligations after a breach?

Under PIPEDA s.10.3 and the Breach Regulations, organizations must maintain a record of every breach of security safeguards for a period of 24 months from the date of the breach — regardless of whether the breach created a real risk of significant harm. This record must be made available to the OPC upon request. The record must contain sufficient detail to allow the OPC to verify compliance with breach notification and reporting obligations. The 24-month record-keeping requirement applies even to breaches that do not trigger notification to the OPC or individuals. Under Canada law, Canada Business Corporations Act (R.S.C. 1985, c. C-44), parties should seek independent legal advice from a qualified lawyer to confirm compliance with all applicable requirements. Under the Canada Business Corporations Act (R.S.C. 1985, c. Forms-legal.com provides this template as a starting point for Canada-compliant documentation.

Does PIPEDA breach notification apply in Alberta, BC, and Quebec?

Alberta, British Columbia, and Quebec have provincial private sector privacy legislation that has been deemed 'substantially similar' to PIPEDA — Alberta's Personal Information Protection Act (PIPA), BC's PIPA, and Quebec's Law 25 (Act respecting the protection of personal information in the private sector, as amended). Organizations primarily carrying on business within these provinces are generally subject to their provincial legislation rather than PIPEDA for intraprovincial matters, but PIPEDA still applies to interprovincial and international transactions. Law 25 in Quebec has specific breach notification requirements that apply to provincial breaches. Under Canada law, Canada Business Corporations Act (R.S.C. 1985, c. C-44), parties should seek independent legal advice from a qualified lawyer to confirm compliance with all applicable requirements. Under the Canada Business Corporations Act (R.S.C. 1985, c. Forms-legal.com provides this template as a starting point for Canada-compliant documentation.

What penalties apply for failure to notify the OPC under PIPEDA?

Under PIPEDA s.28(2), knowingly failing to notify the OPC of a breach that creates a real risk of significant harm is a summary conviction offence with a maximum fine of CAD $100,000 per violation. Similarly, knowingly obstructing the OPC's investigation or knowingly providing false or misleading information is an offence. The OPC may also audit the organization's compliance, issue public findings, seek Federal Court orders compelling compliance, and seek damages on behalf of affected individuals. Reputational harm and civil liability under common law (negligence) can significantly exceed the statutory fines. Under Canada law, Canada Business Corporations Act (R.S.C. 1985, c. C-44), parties should seek independent legal advice from a qualified lawyer to confirm compliance with all applicable requirements. Under the Canada Business Corporations Act (R.S.C. 1985, c. Forms-legal.com provides this template as a starting point for Canada-compliant documentation.

Privacy Breach Notification — PIPEDA (Canada)

PRIVACY BREACH NOTIFICATION — PIPEDA

Organization: [Organization Name], [Organization Address]

Privacy Officer: [Privacy Officer Name] | [Privacy Officer Email] | [Privacy Officer Phone]

Province: [Province]

Internal Incident Number: [Internal Incident Number]

Report Date: [Report Date]

Prepared By: [Prepared By]

Authority: Personal Information Protection and Electronic Documents Act (PIPEDA), S.C. 2000, c. 5, s.10.1; Breach of Security Safeguards Regulations, SOR/2018-64 (the 'Breach Regulations'). This notification is submitted pursuant to the obligation to notify the Office of the Privacy Commissioner of Canada (OPC) and affected individuals of a breach of security safeguards involving personal information that creates a real risk of significant harm.

PART A — BREACH DETAILS

Date Breach Discovered: [Breach Discovery Date]

Date / Period When Breach Occurred: [Breach Occurrence Date]

Type of Breach: [Breach Type]

Description of Breach: [Breach Description]

Categories of Personal Information Involved: [Information Involved]

Estimated Number of Individuals Affected: [Number of Individuals Affected]

Geographic Scope: [Geographic Scope]

PART B — RISK OF SIGNIFICANT HARM ASSESSMENT

Sensitivity of Personal Information Involved: [Sensitivity of Information]

Likelihood of Misuse: [Likelihood of Misuse]

Real Risk of Significant Harm Determination: [Real Risk Determination]

Risk Assessment Basis: Under PIPEDA s.10.1(3) and the Breach Regulations s.3, the following factors have been considered in assessing whether the breach creates a real risk of significant harm: (a) the sensitivity of the personal information involved; (b) the probability that the information has been, is being, or will be misused; and (c) any other prescribed factor. 'Significant harm' includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record, and damage to property.

PART C — CONTAINMENT AND REMEDIATION

Containment Actions Taken: [Containment Actions]

Remediation Actions Planned / Underway: [Remediation Actions]

Third-Party Service Provider Involvement: [Third Party Involved]

Third-Party Name: [Third Party Name]

PART D — OPC NOTIFICATION

Date OPC Notified: [OPC Notification Date]

OPC File / Reference Number: [OPC Reference Number]

OPC Notification Requirements: Under PIPEDA s.10.1(1) and the Breach Regulations, the organization must notify the OPC as soon as feasible after determining a breach has occurred that creates a real risk of significant harm. The OPC notification must include: a description of the circumstances of the breach; the date(s) of the breach; the personal information involved; the approximate number of individuals affected; whether other organizations (including law enforcement) have been notified; and a description of the steps taken to reduce the risk of harm and prevent future breaches.

PART E — INDIVIDUAL NOTIFICATION

Notification Method: [Individual Notification Method]

Date Notifications Sent / Planned: [Individual Notification Date]

Key Information Included in Notification: [Notification Content]

Individual Notification Requirements: Under PIPEDA s.10.1(2), organizations must notify affected individuals of any breach of security safeguards involving their personal information that creates a real risk of significant harm to the individual, as soon as feasible. The notification must be given directly to the individual unless direct notification would cause further harm to the individual, the individual's current address is unknown, or direct notification would cause unreasonable cost relative to the organization's resources. Indirect notification (public notice) is the alternative when direct notification is not feasible.

PART F — RECORD KEEPING OBLIGATION

Under PIPEDA s.10.3 and the Breach Regulations, [Organization Name] is required to maintain a record of every breach of security safeguards — regardless of whether the breach creates a real risk of significant harm — for a period of 24 months from the date of the breach. This record must be made available to the OPC on request. The organization's privacy breach log will record all relevant details of this incident for the required 24-month retention period.

Applicant

________________

Signature

Date: ________________

Maintained by Vladislav Sergienko, Founder·Template last modified: 2026-06-23·Report an error

What Is a Privacy Breach Notification — PIPEDA (Canada)?

A Privacy Breach Notification — PIPEDA in Canada notifies affected individuals and the regulator of a privacy breach as required by PIPEDA, governed primarily by PIPEDA and its breach-notification requirements.

A 'breach of security safeguards' under PIPEDA s.10.1 means the loss of, unauthorized access to, or unauthorized disclosure of personal information resulting from a breach of the organization's security safeguards under PIPEDA Principle 7 (Safeguards), or from a failure to establish those safeguards. This includes cyberattacks (hacking, ransomware, phishing), accidental disclosures (misdirected emails, lost USB drives, mailed documents sent to wrong address), and theft or loss of devices or paper records containing personal information.

PIPEDA applies to the collection, use, and disclosure of personal information by private sector organizations in the course of commercial activity in Canada — including federal works, undertakings, and businesses, and organizations that transfer personal information across provincial or national borders. Organizations carrying on business exclusively within Alberta, British Columbia, or Quebec are generally subject to their provincial private sector privacy legislation (PIPA AB, PIPA BC, or Law 25 QC) rather than PIPEDA, unless they engage in interprovincial or international transactions.

The PIPEDA breach notification framework has three core obligations: (1) notification to the OPC as soon as feasible after determining a breach creates a real risk of significant harm; (2) notification to affected individuals as soon as feasible where the breach creates a real risk of significant harm to those individuals; and (3) 24-month record retention of all breaches of security safeguards, regardless of whether they create a real risk of significant harm.

The legal framework governing the Privacy Breach Notification — PIPEDA (Canada) in Canada draws on several key statutes and regulatory bodies. Under the Canada Business Corporations Act (R.S.C. 1985, c. C-44), Corporations Canada maintains the federal registry. Section 12 of the CBCA governs corporate name requirements. The Competition Bureau enforces the Competition Act (R.S.C. 1985, c. C-34). Provincial securities commissions — including the Ontario Securities Commission (OSC) and British Columbia Securities Commission (BCSC) — regulate capital markets. The Federal Court of Canada has jurisdiction under the Federal Courts Act. Parties executing a Privacy Breach Notification — PIPEDA (Canada) in Canada should confirm the document reflects current law, including any amendments enacted since the original drafting date. The Canada Business Corporations Act (R.S.C. 1985, c. C-44) sets the foundational requirements.

When Do You Need a Privacy Breach Notification — PIPEDA (Canada)?

A PIPEDA Privacy Breach Notification is required whenever an organization subject to PIPEDA determines that a breach of security safeguards has occurred involving personal information that creates a real risk of significant harm to the affected individuals. The notification obligation is triggered by the organization's determination — not by the actual occurrence of harm — so organizations must act promptly once they become aware of a potential breach.

In practice, a breach notification is needed in the following circumstances. Cyberattacks: When an organization's systems are compromised by unauthorized access, ransomware, malware, or phishing attacks that may have exposed personal information — including names, SINs, financial account numbers, health records, passwords, or other sensitive data. Accidental disclosures: When personal information is mistakenly sent to the wrong recipient (e.g., a misdirected email containing client financial records, a letter sent to the wrong address, or a document inadvertently posted publicly). Lost or stolen devices: When a laptop, USB drive, or mobile device containing unencrypted personal information is lost or stolen. Third-party vendor breaches: When a third-party service provider or subcontractor that processes personal information on the organization's behalf experiences a breach — because the organization remains the controller responsible for notification under PIPEDA.

Organizations should conduct a rapid risk assessment within 24-72 hours of discovering a potential breach to determine whether the breach creates a real risk of significant harm. This assessment considers the sensitivity of the information involved and the probability of misuse. High-sensitivity data (SINs, financial account numbers, health records, passwords) breached by a malicious actor is almost always a real risk of significant harm. Lower-sensitivity data inadvertently disclosed to a known, trustworthy party may not meet the threshold.

Note that even when a breach does not meet the real risk of significant harm threshold, the organization must still maintain a record of the breach for 24 months and make it available to the OPC on request.

Under the Canada Business Corporations Act (R.S.C. 1985, c. C-44), Corporations Canada maintains the federal registry. Section 12 of the CBCA governs corporate name requirements. The Competition Bureau enforces the Competition Act (R.S.C. 1985, c. C-34). Provincial securities commissions — including the Ontario Securities Commission (OSC) and British Columbia Securities Commission (BCSC) — regulate capital markets. The Federal Court of Canada has jurisdiction under the Federal Courts Act.

What to Include in Your Privacy Breach Notification — PIPEDA (Canada)

A thorough PIPEDA Privacy Breach Notification to the OPC must include the following elements, as prescribed by the Breach of Security Safeguards Regulations.

Organization Identification: The organization's full legal name, principal address, and the name, title, email, and phone number of the Privacy Officer designated under PIPEDA Principle 1 (Accountability). The Privacy Officer is the contact for OPC communications and for individuals seeking information about the breach.

Breach Description: A clear, factual description of the circumstances of the breach — including when it occurred (or the estimated range of dates), when it was discovered, and how it was discovered. Identify the type of breach (unauthorized access, accidental disclosure, theft, ransomware, etc.) and describe the specific systems, records, or processes involved.

Personal Information Involved: A specific description of the categories of personal information that were or may have been compromised — full names, dates of birth, SINs, financial account numbers and types, health information, passwords or authentication credentials, and any other personal data. Identify the approximate number of individuals whose information was involved and the geographic scope (provinces, countries).

Risk of Significant Harm Assessment: Document the organization's assessment of whether the breach creates a real risk of significant harm under PIPEDA s.10.1(3) and Breach Regulations s.3. Consider: the sensitivity of the information (SINs and financial data are highly sensitive); the probability of misuse (malicious access is higher risk than accidental disclosure to a trusted party); and other relevant factors. Identify the potential types of harm (financial loss, identity theft, reputational damage, etc.).

Containment and Remediation: Describe actions taken to contain the breach (isolating systems, revoking access, notifying payment processors) and remediation measures planned or underway (forensic investigation, security patches, staff training, policy changes).

OPC Notification and Individual Notification Details: Record the date OPC was notified, any OPC reference number assigned, the method of notifying affected individuals, the date notifications were sent, and the key information included in the individual notification messages.

Record-Keeping: Document the internal incident reference number for the organization's 24-month breach record, the date of the notification document, and the name and title of the person preparing the notification.

Additional compliance elements for a Privacy Breach Notification — PIPEDA (Canada) used in Canada include: Under the Canada Business Corporations Act (R.S.C. 1985, c. C-44), Corporations Canada maintains the federal registry. Section 12 of the CBCA governs corporate name requirements. The Competition Bureau enforces the Competition Act (R.S.C. 1985, c. C-34). Provincial securities commissions — including the Ontario Securities Commission (OSC) and British Columbia Securities Commission (BCSC) — regulate capital markets. The Federal Court of Canada has jurisdiction under the Federal Courts Act. Forms-legal.com provides this template as a starting point for Canada-compliant documentation.

Sources & Citations

Statutory citations link to official government sources.

R.S.C. 1985, c. C-44CA official
R.S.C. 1985, c. C-34CA official

Cite this page

Reference this free template in an article, syllabus, or research note:

APA

Forms Legal. (2026). Privacy Breach Notification — PIPEDA (Canada) (Canada) [Legal document template]. Forms Legal. https://forms-legal.com/canada/business/policies/privacy-breach-notification-pipeda-canada

MLA

"Privacy Breach Notification — PIPEDA (Canada) (Canada)." Forms Legal, 2026, https://forms-legal.com/canada/business/policies/privacy-breach-notification-pipeda-canada.

BibTeX

@misc{formslegal-privacy-breach-notification-pipeda-canada,
  author       = {{Forms Legal}},
  title        = {Privacy Breach Notification — PIPEDA (Canada) (Canada)},
  year         = {2026},
  howpublished = {\url{https://forms-legal.com/canada/business/policies/privacy-breach-notification-pipeda-canada}},
  note         = {Free legal document template. Based on Canada Business Corporations Act (R.S.C. 1985, c. C-44)}
}

Frequently Asked Questions

Based on Canada Business Corporations Act (R.S.C. 1985, c. C-44) — Template last modified June 2026Verify the source →

This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer

Found an error? Let us know