Skip to main content
|

Add a bookmark to get started

Bookmarks info
  • Home
  • Insights
  • OPC releases new Privacy Breach Risk Assessment Tool
2 April 20254 minute read

OPC releases new Privacy Breach Risk Assessment Tool

Written by:David SpratleyKeri BennettSwetha Popuri

Canada’s federal Personal Information Protection and Electronic Documents Act (PIPEDA) requires organizations to notify the privacy regulator and affected individuals of privacy breaches that create a “real risk of significant harm”. PIPEDA defines what counts as significant harm, including humiliation, damage to reputation, financial loss, and identity theft, and identifies the factors to consider when deciding if there is a real risk of significant harm. This includes the sensitivity of the affected personal information and the probability that the information has been or will be misused.

Organizations that are subject to PIPEDA who experience a data breach must always conduct the real risk of significant harm analysis. To date, there has been limited guidance regarding how the Office of the Privacy Commissioner of Canada (OPC) approaches that analysis. An organization that does not report a breach can face investigations, audits, and related enforcement action if the OPC later determines that a breach should have been reported.

To help businesses assess the risk of significant harm resulting from privacy breaches, the OPC has introduced a new online tool. This tool also helps businesses understand the OPC’s views of, and approach to, privacy breaches.

What is the Privacy Breach Risk Assessment Tool?

The tool provides an online questionnaire that guides users through a series of questions to evaluate the details of a privacy breach. It helps determine whether the breach is likely to cause significant harm to affected individuals, and offers an assessment of whether the risk of harm is likely or unlikely.

How does the tool work?

To use the tool, you will need to provide specific details about the breach, such as:

  • the types of personal information involved;
  • the number of individuals affected;
  • how the breach occurred;
  • who received the personal information; and
  • the relationship between the affected individuals and the unauthorised party.

The tool then assesses the sensitivity of the information and the likelihood of its misuse. Based on the user’s responses, it will provide a result indicating whether the breach is likely to cause significant harm.

The tool does not ask for identifying information about the user or the organization, and the information that the user enters is not collected or shared with the OPC. This means that organizations and their counsel can use the assessment tool without concerns that doing so will put an incident on the OPC’s radar.

What should you do with the results?

The OPC is clear that the tool’s results are intended to guide organisations in making informed decisions, but are not a substitute for the user’s own judgment. Nor are they legal advice. Users should not rely solely on the tool when deciding whether there is a notification obligation. There could be situations where the tool indicates that there is not a real risk of significant harm, but an organization still decides to notify. There could also be reverse situations, where an organization makes a risk-based decision not to notify despite the tool suggesting that notification is required. Ultimately, the organization and its legal counsel will have access to more information and nuances than the tool’s questionnaire can capture, and that broader view should drive the decision-making process.

Does the tool work for all privacy breaches?

The tool is not necessarily helpful or relevant in assessing notification requirements under private-sector privacy legislation other than PIPEDA. Alberta’s Personal Information Protection Act has a similar breach reporting framework to PIPEDA, but Quebec’s Act respecting the protection of personal information in the private sector applies a different test. British Columbia’s Personal Information Protection Act has no mandatory breach reporting provisions (although the BC privacy commissioner recommends reporting breaches on a voluntary basis).

Final thoughts

Whether there is a real risk of significant harm can be a nuanced question that requires careful review and analysis. The OPC’s new risk assessment tool will be helpful as part of an organization’s breach reporting analysis, but should not be the only basis for deciding whether there is a notification obligation.  Regardless of the final decision on reporting, organizations must retain records of security incidents for at least two years, as required by PIPEDA. 

Print

Related capabilities

Data, Privacy and Cybersecurity
Legal noticesPrivacy policyCookie policyModern slaveryFraud AlertSitemap

DLA Piper is a global law firm operating through various separate and distinct legal entities. For further information about these entities and DLA Piper's structure, please refer to the Legal Notices page of this website. All rights reserved. Attorney advertising.

© 2025 DLA Piper