The Office of the Privacy Commissioner of Canada (OPC) has introduced a new security breach assessment tool to assist organizations in determining whether a breach of security safeguards poses a real risk of significant harm (RROSH) to individuals. This tool is designed to support organizations in meeting their breach reporting obligations under the Personal Information Protection and Electronic Documents Act (PIPEDA).

Understanding RROSH and reporting requirements

Under PIPEDA, organizations must report to the OPC and affected individuals any breach of security safeguards involving personal information under their control if it is reasonable to believe the breach creates a real risk of significant harm.

“Significant harm” can include bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.

To determine whether there is a real risk of significant harm, organizations are required to assess:

  • The sensitivity of the personal information involved
  • The probability that the personal information has been, is being, or will be misused

Organizations are also required to keep records of all breaches of security safeguards for at least two years, regardless of whether they meet the RROSH threshold.

How the OPC’s breach tool helps

To use the OPC’s tool, organizations are prompted to provide specific details about the breach, including:

  • The types of personal information involved
  • The number of individuals affected
  • How the breach occurred
  • Who received or may have received the personal information
  • The relationship between the affected individuals and the unauthorized party who breached or received the personal information

The tool provides a series of guided questions, and based on the organization’s responses, it will indicate whether a real risk of significant harm is “Likely” or “Unlikely.” This assessment is intended to help inform whether notification and reporting obligations are triggered under PIPEDA, but it is important to emphasise this is informational only, and does not bind the OPC.

Importantly, the tool does not ask for information that identifies the organization using it and does it collect or send any entered data to the OPC. The OPC’s website emphasizes that the risk assessment results can be downloaded and used as part of internal breach record. If an organization submits a privacy breach report to the OPC, it may also choose to include the tool’s results with its submission.

A word of caution: This is a guide, not legal advice

The tool is intended to aid organizations in determining their reporting and notification obligations under PIPEDA. While the tool is a helpful reference, it is not a substitute for legal advice, and its results do not represent an official position or decision by the OPC.

While the tool provides a series of questions, it is a finite resource and may not capture all considerations or circumstances that would need to be considered to determine whether there is in fact a RROSH. Organizations should consult legal counsel, especially in borderline or complex scenarios, to ensure that all obligations are properly assessed and met.

Bottom line

The OPC’s new breach tool is a practical resource that can support determining reporting obligations during a privacy incident. It can enhance your internal assessment process—but it should be used alongside legal advice, not in place of it.

Access the Breach Risk Assessment Tool

Need help navigating breach notification requirements? Refer to our Canadian privacy breach notification: Compliance guide for an overview of breach notification requirements across jurisdictions. Or reach out to a member of our Cyber Security & Data Protection team.