Privacy breach notification
Privacy breach notification is the legal duty to report a security incident involving personal information to regulators and affected individuals when it poses a real risk of significant harm.
Under PIPEDA, an organization that suffers a *breach of security safeguards* must notify the Office of the Privacy Commissioner of Canada and affected individuals *as soon as feasible* whenever the breach creates a real risk of significant harm (RROSH) — think identity theft, financial loss, humiliation, or reputational damage. Records of all breaches must be kept, even those that don’t meet the threshold.
Quebec’s Law 25 frames the same duty around an *« incident de confidentialité »*: if it presents a risk of serious injury (*risque de préjudice sérieux*), you must notify the Commission d’accès à l’information and the individuals concerned, and log the incident in a mandatory register.
Assess breaches quickly against factors like data sensitivity and probability of misuse. Delays and non-reporting can attract significant penalties under both regimes.