Breach
PIPEDA breach reporting and the breach register
Last reviewed 2026-06-29 · Plain-language summary, not legal advice.
Since November 2018, PIPEDA has imposed mandatory breach obligations on every organization it covers. They come as a set of three distinct duties, and they are easy to get half-right — most organizations remember the duty to report and forget the duty to keep records. The mechanics are set out in the Breach of Security Safeguards Regulations (SOR/2018-64), made under the Personal Information Protection and Electronic Documents Act itself.
The three duties
A "breach of security safeguards" is the loss of, unauthorized access to, or unauthorized disclosure of personal information resulting from a failure of your safeguards. When one happens, PIPEDA creates three separate obligations:
- Report to the regulator. If the breach creates a real risk of significant harm, report it to the Office of the Privacy Commissioner of Canada (OPC).
- Notify the individuals. If the breach creates a real risk of significant harm, notify each affected individual so they can take steps to protect themselves.
- Keep a record. Record every breach of security safeguards — reportable or not — and retain it for at least 24 months.
The first two are triggered by a harm threshold. The third is not — it applies to every breach, full stop. That asymmetry is where compliance most often slips.
The trigger: real risk of significant harm
Reporting and notification both turn on one test — whether the breach creates a real risk of significant harm (RROSH) to an individual. PIPEDA defines "significant harm" expansively: bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunity, financial loss, identity theft, negative effects on credit, and damage to or loss of property.
Whether the risk is "real" is assessed on two factors set out in the Act: the sensitivity of the personal information involved, and the probability that the information has been, is being, or will be misused. Sensitivity is contextual — health information and government identifiers sit high; a mailing list of business contacts sits low. Probability turns on facts like whether the data was encrypted, whether it was recovered, who got access, and whether there is evidence of malicious intent. You document this assessment, because it is the justification for whatever you decide to do next.
Timing: "as soon as feasible"
PIPEDA does not give you a fixed number of days. Once you determine that a reportable breach has occurred, you must report to the OPC and notify affected individuals as soon as feasible. The practical reading is that the clock starts at determination, not discovery, and that "feasible" is not an invitation to delay — you assess promptly and act once you reasonably can. Notification to individuals must be conspicuous and given directly to the individual in most cases.
What the report and the notice must contain
The Regulations specify the content. A report to the Commissioner must describe the circumstances of the breach and its cause (if known), when it occurred, the personal information involved, the number of individuals affected, the steps you have taken to reduce or mitigate the risk of harm, the steps you have taken or will take to notify individuals, and a contact who can answer the OPC's questions. The notice to individuals must contain enough information to let them understand the significance of the breach and take steps to reduce or mitigate the harm — what happened, what information was involved, what you are doing about it, what they can do, and how to contact you.
The record-keeping duty everyone underestimates
This is the obligation that trips up otherwise-careful organizations. You must keep a record of every breach of security safeguards — including the ones that did not meet the harm threshold and were never reported. Each record must contain enough information for the OPC to verify your compliance, and you must retain it for a minimum of 24 months. The point is accountability: the register lets the regulator confirm that the breaches you didn't report were genuinely below the threshold, rather than quietly buried. "We have never had a reportable breach" is not a substitute for the register, because the register has to capture the non-reportable ones too.
How this shows up in a questionnaire
Canadian buyers test all three duties. A row asking you to "describe your breach notification process" is checking the report-and-notify duties; a row asking you to "describe your breach register" or "how do you log security incidents" is checking the record-keeping duty specifically — and the honest answer is the mechanism, not the assertion that you have never had a breach. Buyers increasingly want to see that the detection and logging behind the register actually exists, because you cannot register breaches you never detect. Our PIPEDA questionnaire guide walks through answering these rows; the related provincial regimes — Alberta PIPA, which has its own mandatory notification rule, and Quebec Law 25, with its confidentiality-incident register — add their own breach duties on top of PIPEDA's.
Common questions.
What is a "real risk of significant harm" under PIPEDA?
Real risk of significant harm (RROSH) is the threshold that triggers mandatory breach reporting. "Significant harm" is defined broadly in PIPEDA — bodily harm, humiliation, damage to reputation or relationships, loss of employment or business opportunity, financial loss, identity theft, negative effects on credit, and damage to or loss of property. "Real risk" is assessed on two factors: the sensitivity of the personal information involved and the probability that it has been, is being, or will be misused. A lost laptop with strong encryption and managed keys may fall below the threshold; exfiltrated plaintext customer records almost never do.
How quickly must a PIPEDA breach be reported?
There is no fixed number of days. Where a breach of security safeguards creates a real risk of significant harm, PIPEDA requires you to report to the Office of the Privacy Commissioner of Canada (OPC) and notify affected individuals "as soon as feasible" after you determine the breach has occurred. In practice that means you should not wait — you assess the risk promptly and report once you reasonably can, rather than treating it as a deadline to run down.
Do I have to report breaches that did not harm anyone?
You do not have to report or notify for a breach that does not meet the real-risk-of-significant-harm threshold — but you must still record it. PIPEDA's record-keeping duty applies to every breach of security safeguards, regardless of whether it was reportable. So a minor breach you reasonably conclude poses no real risk is not reported to the OPC, but it still goes in your breach register.
How long must PIPEDA breach records be kept?
The Breach of Security Safeguards Regulations set a minimum retention period of 24 months from the day the organization determines the breach occurred. The OPC can ask to see these records, so the register has to be real and maintained — not reconstructed after the fact.