PIPEDA Breach Notification Decision Tree
Something happened to personal information your organisation holds, and you need to know what PIPEDA requires you to do about it. Answer four questions and this tool assembles the obligation checklist for your situation. No signup, no backend, nothing leaves your browser.
What triggers the analysis.
PIPEDA's breach rules turn on one concept: a breach of security safeguards. That means the loss of, unauthorised access to, or unauthorised disclosure of personal information because a safeguard failed or was missing. A stolen laptop, a hacked mailbox, a ransomware infection, a misdirected email with a client list attached, a vendor that exposed your customer data. All of these count.
Two obligations flow from there. First, you must record every breach of security safeguards, even trivial ones, and keep that record for 24 months. Second, if the breach creates a real risk of significant harm to an individual (the law calls this RROSH), you must report it to the Office of the Privacy Commissioner of Canada as soon as feasible, notify the affected individuals as soon as feasible, and notify any other organisations or government bodies that can reduce the harm. Knowingly failing to report, notify, or keep records is an offence that can lead to fines.
If PIPEDA is new territory, read our plain-talk guide to PIPEDA compliance first, or work through the PIPEDA checklist. This tool only covers the breach side.
Step through your incident.
One question at a time. Use Back to change an answer, Restart to run a different scenario. Your answers stay on your device.
What PIPEDA actually requires after a breach.
Record every breach.
Every breach of security safeguards goes in your breach register, even the trivial ones where nobody could plausibly be harmed. Keep each record for 24 months from the day you determined the breach occurred. The Privacy Commissioner can ask to see the register.
Report and notify.
If the breach creates a real risk of significant harm to any individual: report to the Office of the Privacy Commissioner of Canada as soon as feasible, notify affected individuals as soon as feasible, and notify other organisations or government bodies that can reduce the harm.
Fines for looking away.
Knowingly failing to report a RROSH breach, notify affected individuals, or keep breach records is an offence under PIPEDA and can lead to fines. Honest judgment calls made in good faith are defensible. Quiet burial of a known breach is not.
How RROSH is assessed. The law points at two factor groups: the sensitivity of the information involved, and the probability the information has been, is being, or will be misused. Sensitive data plus a plausible path to misuse means report and notify. A lost encrypted phone that was remotely wiped within the hour usually does not. A hacked inbox full of client financial records almost always does. In between, it depends, and that is exactly when you document your reasoning and get legal advice.
What good notification looks like. Tell affected people what happened, what information was involved, what you have done to reduce the risk, and what they can do to protect themselves. Do it directly (email, letter, phone) wherever possible, and do it as soon as feasible. Feasible means you may take a short pause to understand scope so your notice is accurate, not that you can sit on it for a quarter.
Breach response goes far better when the plumbing already exists: a breach register template, an incident response plan people have rehearsed, backups you have actually test-restored. That is the boring work we do for clients under managed compliance, and it is the difference between a controlled 48 hours and a very bad month.
One important caveat for Western Canada.
If your organisation is a private-sector business in British Columbia or Alberta, much of your day-to-day handling of personal information may fall under BC PIPA or Alberta PIPA rather than PIPEDA, because both provinces have their own private-sector privacy laws. Alberta PIPA has its own mandatory breach reporting, run through the Alberta Information and Privacy Commissioner, so an Alberta business may owe a report to the Alberta Commissioner rather than (or as well as) the federal one. PIPEDA still applies to some activities, including personal information that crosses provincial or national borders, so many BC and Alberta organisations need to think about both regimes.
We break this down in plain terms in BC PIPA vs PIPEDA and Alberta PIPA explained. If you operate in either province, read the one that applies to you before relying on the checklist above.
Quick answers.
Does every privacy breach need to be reported under PIPEDA?
No. You only have to report to the Privacy Commissioner and notify individuals when a breach of security safeguards creates a real risk of significant harm to someone. But every breach of security safeguards, even a trivial one, must be recorded internally and the record kept for 24 months.
How long do we have to keep breach records?
24 months from the day you determine a breach of security safeguards occurred. This applies to every breach, including ones you decided were not reportable. The Privacy Commissioner can ask to see these records, and knowingly failing to keep them is an offence that can lead to fines.
What is a real risk of significant harm (RROSH)?
RROSH is the PIPEDA threshold that triggers mandatory reporting and notification. You assess it using two factor groups: how sensitive the information is (financial data, health data, credentials, government ID numbers) and how probable misuse is (unencrypted data, a malicious actor, data not recovered, wide or long exposure). If the combination points to a real risk of significant harm, you must report and notify as soon as feasible.
Does BC PIPA or Alberta PIPA change this?
It can. Private-sector organisations in BC and Alberta fall under BC PIPA or Alberta PIPA instead of PIPEDA for much of their day-to-day handling of personal information. Alberta PIPA has its own mandatory breach reporting through the Alberta Commissioner. PIPEDA still applies to some activities, such as interprovincial and international handling, so many organisations need to consider both.
Not confident you could run this checklist for real?
Book a free 30-minute assessment with a North Star engineer. We will look at your safeguards, your backup and incident response readiness, and whether you would be able to answer these four questions quickly during an actual breach.
Get a Free Assessment Compliance services