On March 26, 2025, the Office of the Privacy Commissioner of Canada (OPC) released a privacy breach real risk of significant harm assessment tool (Tool) for organizations.
In this bulletin, we provide an overview of breach reporting obligations under the Personal Information Protection and Electronic Documents Act (PIPEDA), discuss how the Tool works, and share some helpful reminders and tips for conducting the real risk of significant harm analysis (RROSH analysis).
Overview of PIPEDA Breach Reporting Obligations
Pursuant to section 10.1 of PIPEDA, organizations subject to the Act are required to notify the OPC and affected individuals of a breach of security safeguards involving personal information under the organization’s control, where the breach poses a “real risk of significant harm.” PIPEDA broadly defines “significant harm” to include bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record, and damage to or loss of property. In assessing risk, PIPEDA expressly requires organizations to consider:
- The sensitivity of the personal information involved in the breach
- The probability that the personal information has been, is being, or will be misused
- Any other prescribed factor (no additional factors have been prescribed to date)
How Does the Tool Work?
The Tool is intended to assist organizations that have experienced a privacy breach in self-assessing whether the breach creates a real risk of significant harm and whether the organization is required to report the breach. The Tool will not ask for information that identifies the organization, and the information entered into the Tool is not collected or sent to the OPC.
To use the Tool, organizations are required to know the types of personal information involved (e.g., contact information, demographic information, banking information, government-issued identification, messages, surveillance information, health information) and approximately how many individuals were affected.
Organizations answer a series of questions regarding the context of the breach, such as how the breach occurred, who received the personal information, the relationship between the unauthorized party who received the information and the affected individuals, anticipated characteristics of the affected individuals (e.g., limited experience with Canadian laws and rights, criminal record status, involvement in legal disputes, victims of family violence, involvement in legal or custody dispute, or existing safety and security risks), and specifics regarding the categories of personal information involved.
Organizations are given an option to review and edit their responses prior to submitting their answers. The Tool then generates a report, which indicates whether it is likely or not that the breach creates a real risk of significant harm and whether the organization needs to report the breach. The report also identifies potential risks that may be present in connection with the breach, such as bank account or payment fraud, phishing risk, financial exploitation, public shaming or identity fraud.
How Should an Organization Use the Tool?
The Tool is not intended to replace an organization’s formal risk assessment or provide legal advice. There may be other factors not covered by the Tool that could influence the analysis, or aspects of a breach that the Tool overemphasizes because of a lack of context. It is recommended that organizations use the Tool as a preliminary assessment or guide for what questions to consider when conducting the RROSH analysis, but should not consider the output from the Tool to be conclusive.
Organizations should note the Tool is only intended to support privacy breach notification requirements under PIPEDA. Depending on the type of organization involved, the location of individuals affected and whether the organization’s information systems are otherwise regulated, additional breach reporting obligations from provincial private-sector privacy laws, public-sector privacy laws, provincial health information laws, or sector-specific rules such as reporting obligations for financial institutions, may also be engaged. As such, it is important to always consult with privacy and legal teams when determining breach reporting obligations.
Tips for Conducting a RROSH Analysis
The following tips can help you conduct the RROSH analysis:
- Consult with the privacy officer and internal or external legal teams to ensure appropriate analysis of all relevant factors of a breach is being conducted in accordance with all applicable laws
- Consider Privacy Commissioner guidance when assessing the sensitivity of the personal information involved and the likelihood of misuse
- Clearly document and record your analysis in accordance with applicable laws, even if you determine there is no real risk of significant harm
For more information, please contact the authors or any other member of our Privacy & Data Protection group.
