PIPEDA Breach Notification Rights — Make a Business Tell You When a Data Breach Creates Real Risk
What Is It?
PIPEDA requires covered private-sector businesses to report certain privacy breaches and notify affected individuals when the breach creates a real risk of significant harm.
This matters because businesses do not get to quietly decide that every breach is “no big deal.”
What Most People Don’t Know
- The business may have to notify both you and the OPC.
- The trigger is risk, not embarrassment. The legal test is whether there is a real risk of significant harm.
- Businesses must keep records of all breaches, not just the worst ones.
- Failure to report can itself create legal problems for the organization.
Frequently Asked Questions
Does every data breach have to be reported to me?
A: Not every breach, but PIPEDA requires reporting and notification where there is a real risk of significant harm.
Can a small business be subject to these rules?
A: Yes. OPC guidance says the breach-reporting obligations can apply to both large and small businesses covered by PIPEDA.