PIPEDA Privacy Breach Report (Canada)

A PIPEDA Privacy Breach Report in Canada is a legally binding written instrument.S.C. 1985, c. C-44).

PIPEDA applies to personal information — defined in section 2(1) as "information about an identifiable individual" — collected, used, or disclosed in the course of commercial activity by private sector organizations in Canada, with the exception of provinces whose substantially similar provincial privacy legislation has displaced PIPEDA for intra-provincial commercial activities (Alberta's PIPA, British Columbia's PIPA, and Quebec's Act respecting the protection of personal information in the private sector as amended by Law 25). Organizations operating in multiple provinces must comply with PIPEDA as the minimum standard and with more stringent provincial rules where applicable.

A breach of security safeguards is defined under the Personal Information Protection and Electronic Documents Act 2000 (PIPEDA, Section 10.1) as the loss of, unauthorized access to, or unauthorized disclosure of personal information resulting from a breach of an organization's security safeguards under Principle 7 of Schedule 1 of the Act 2000, or from a failure to have adequate safeguards in place. Security safeguards under Principle 7 must be appropriate to the sensitivity of the information and must protect against risks such as unauthorized access, collection, use, disclosure, copying, modification, disposal, or destruction. The Act 2000 establishes these requirements through its ten fair information principles codified in Schedule 1.

The mandatory reporting obligation under Section 10.1 of the Act 2000 is triggered when the organization determines that a breach of security safeguards involving personal information has occurred and that the breach creates a real risk of significant harm (RROSH) to affected individuals. Section 10.2 of the Act 2000 governs the notification of affected individuals, while Section 10.3 requires organizations to maintain breach records for 24 months. The RROSH assessment requires consideration of the sensitivity of the personal information, the probability that the information has been, is being, or will be misused, and any other relevant factors. The OPC has published RROSH guidance confirming that sensitive information categories — health records, financial account numbers, Social Insurance Numbers, passwords, biometric data — generally carry a presumption of RROSH.

Quebec's Act respecting the protection of personal information in the private sector 2021 (Law 25), which amended the Privacy Act 1994 of Quebec (CQLR c P-39.1), imposes parallel breach notification obligations with important differences from PIPEDA: organizations must notify the Commission d'accès à l'information (CAI) and affected individuals within 72 hours under Section 3.5 of the Act 2021; the notification obligation extends to breaches involving personal information of Quebec residents even if the organization is not headquartered in Quebec; and administrative monetary penalties of up to $25 million or 4% of worldwide turnover are available for serious violations — substantially higher than PIPEDA's $100,000 summary conviction penalty under Section 28 of the Act 2000. The Privacy Act 1985 (R.S.C. 1985, c. P-21) governs federal government institutions separately, administered by the Privacy Commissioner of Canada under Section 29 of the Act 1985. The Canada Business Corporations Act 1985 (R.S.C. 1985, c. C-44), enforced by Corporations Canada, applies to federally incorporated organizations subject to breach reporting. The Income Tax Act 1985 (R.S.C. 1985, c. 1) requires organizations to protect taxpayer SIN information, making SIN breaches particularly reportable under Section 10.1 of the Act 2000.

A Canadian PIPEDA Privacy Breach Report is needed whenever an organization subject to PIPEDA discovers that a breach of security safeguards has occurred involving personal information and must assess whether mandatory reporting and notification obligations are triggered.

Organizations that experience a ransomware attack — one of the most common breach types reported to the OPC, involving encryption of organizational systems and potential exfiltration of personal data — must complete a RROSH assessment immediately upon discovery. If the assessment confirms RROSH, the organization must report to the OPC and notify affected individuals as soon as feasible. The OPC's published Guidance on Ransomware confirms that organizations cannot assume no exfiltration occurred simply because the attacker demanded payment rather than publishing data; a thorough forensic investigation is required before concluding there is no RROSH.

Healthcare organizations — hospitals, clinics, pharmacies, insurance companies, and digital health platforms — that experience unauthorized access to patient health records trigger both PIPEDA's breach notification obligations under Section 10.1 of the Act 2000 and provincial health privacy legislation obligations. Ontario's Personal Health Information Protection Act 2004 (PHIPA, Section 12) requires health information custodians to notify the Information and Privacy Commissioner of Ontario (IPC) and affected individuals. Alberta's Health Information Act 1999 (Section 60) and British Columbia's E-Health Act 2008 (Section 14) impose equivalent notification requirements. The Act 2004 (PHIPA) obligations apply in addition to PIPEDA obligations for Ontario health organizations.

Financial services organizations — banks, insurance companies, credit unions, investment dealers, and payment processors — that experience breaches involving financial account numbers, credit card data, SIN numbers, or investment account information carry a high RROSH presumption and must report to the OPC and notify affected individuals promptly. Federally regulated financial institutions supervised by the Office of the Superintendent of Financial Institutions (OSFI) are also subject to OSFI's Technology and Cyber Risk Management Guideline B-13, which requires timely reporting of significant technology incidents to OSFI.

Retailers, e-commerce platforms, and digital service providers that experience breaches of customer databases containing names, email addresses, passwords, and payment card data — through SQL injection, credential stuffing, third-party vendor compromise, or insider access — must complete RROSH assessments and file PIPEDA breach reports where the criteria are met. The OPC's investigation reports — including findings against major Canadian retailers — have established that inadequate encryption, weak access controls, and failure to apply security patches constitute failures of Principle 7 safeguard obligations.

Organizations that discover that a third-party service provider — a cloud provider, payroll processor, or IT vendor — has experienced a breach involving the organization's personal information must take primary responsibility for the PIPEDA notification obligations, because accountability under PIPEDA's Principle 1 remains with the organization that transferred the data, regardless of who caused the breach. The data sharing agreement should require the service provider to notify the organization within 24 to 72 hours of discovering the breach; the organization then completes its own RROSH assessment and files the OPC report.

A complete Canadian PIPEDA Privacy Breach Report contains specific information required by the Security Breach of Personal Information Regulations (SOR/2018-64) and the OPC's breach reporting guidance to satisfy the mandatory reporting and notification obligations.

The organization identification section states the organization's full legal name, mailing address, and the name and contact information of the privacy officer or designated contact who can answer the OPC's questions about the breach. The organization must also identify whether it is subject solely to PIPEDA or also to provincial privacy legislation (Quebec's Law 25, Alberta's PIPA, BC's PIPA) that may impose additional or more stringent obligations.

The breach description section provides a factual narrative of the breach: what happened (unauthorized access, data exfiltration, lost device, misdirected email, vendor breach), when it was discovered, when it is believed to have begun, how long it lasted, and how it was discovered. The description should be accurate and thorough — the OPC may follow up with detailed questions, and inconsistencies between the initial report and subsequent disclosures can undermine the organization's credibility.

The personal information involved section identifies the categories of personal information affected by the breach and the number of individuals affected (or the estimated range if the exact number is not yet known). The OPC uses the sensitivity of the personal information categories as a key input into its assessment of the adequacy of the organization's security safeguards. High-sensitivity categories — SINs, financial account numbers, health records, passwords, biometric identifiers, and children's information — require enhanced explanation of the safeguards that were in place and why they failed.

The RROSH assessment section documents the organization's analysis of whether the breach creates a real risk of significant harm, addressing: the sensitivity of the personal information; the probability of misuse (has the data appeared on dark web forums, has the attacker made ransom demands, are there indications of actual misuse by affected individuals); and any other relevant factors. A well-documented RROSH assessment demonstrates that the organization applied a principled analysis rather than reflexively concluding either that all breaches or no breaches require notification.

The mitigation steps section describes the technical and organizational measures taken immediately after breach discovery to contain and remediate the breach — isolating affected systems, resetting compromised credentials, patching vulnerabilities, revoking unauthorized access, engaging a cybersecurity forensics firm, and preserving evidence for potential law enforcement referral. The OPC expects organizations to take prompt containment steps; delays in containment that allow further access or data exfiltration reflect poorly on the organization's breach response.

The individual notification section describes how affected individuals were or will be notified — the notification method (direct email, postal letter, phone, website notice), the content of the notification (a clear description of the breach, the personal information involved, the steps the organization has taken, the steps individuals can take to protect themselves, and contact information for further questions), and the timing of notification. The notification should enable individuals to take concrete protective actions — such as placing a fraud alert with Equifax Canada or TransUnion Canada, changing passwords, or monitoring financial accounts for unauthorized activity.

The breach record section confirms that the organization will maintain a record of the breach for a minimum of 24 months from the date the organization determined the breach occurred, as required by section 10.3 of PIPEDA, regardless of whether the breach triggers mandatory reporting. This record must be made available to the OPC upon request and should include all documentation related to the organization's RROSH assessment, notification decisions, and remediation steps.

Under the Canada Business Corporations Act (R.S.C. 1985, c. C-44), Corporations Canada maintains the federal registry. Section 12 of the CBCA governs corporate name requirements. The Competition Bureau enforces the Competition Act (R.S.C. 1985, c. C-34). Provincial securities commissions — including the Ontario Securities Commission (OSC) and British Columbia Securities Commission (BCSC) — regulate capital markets. The Federal Court of Canada has jurisdiction under the Federal Courts Act. The forms-legal.com PIPEDA Privacy Breach Report (Canada) template covers the mandatory elements under Canada Business Corporations Act (R.S.C. 1985, c. C-44).