CanCertify logoCanCertify
Back to Blog
Privacy Law

Data Breach Notification Requirements in Canada (2026)

CanCertify TeamJan 6, 20268 min read

Data breaches are not a matter of "if" but "when" for most Canadian businesses. Since November 2018, PIPEDA has required mandatory breach notification — and failure to comply carries penalties of up to $100,000 per violation. With Quebec's Law 25 adding its own breach notification regime with even steeper fines, understanding your obligations is essential. This guide walks through exactly what you need to do when a breach occurs.

What Constitutes a "Breach" Under PIPEDA

Under PIPEDA, a "breach of security safeguards" is defined as the loss of, unauthorized access to, or unauthorized disclosure of personal information resulting from a breach of an organization's security safeguards, or from a failure to establish those safeguards. This includes:

  • A hacker gaining access to your customer database.
  • An employee accidentally emailing a spreadsheet of personal information to the wrong recipient.
  • A stolen laptop containing unencrypted personal information.
  • A ransomware attack that locks you out of systems containing personal data.
  • A physical break-in where paper records containing personal information are stolen.

The RROSH Test

Not every breach triggers mandatory notification. The threshold is whether the breach creates a "real risk of significant harm" (RROSH) to any individual. Significant harm includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, financial loss, identity theft, negative effects on credit, and damage to or loss of property. Factors to consider include:

  • The sensitivity of the personal information involved (financial data, health information, and government identifiers like SINs are highly sensitive).
  • The probability that the information will be misused (was it accessed by a malicious actor, or was it an accidental disclosure to a trusted party?).
  • The number of individuals affected.

Notification Requirements Step by Step

When a breach meets the RROSH threshold, you must take the following steps:

  1. Notify the Office of the Privacy Commissioner (OPC). Report the breach to the OPC as soon as feasible. There is no specific day count in PIPEDA, but "as soon as feasible" means without unreasonable delay. The report must include the circumstances of the breach, the date or period it occurred, the personal information involved, your assessment of risk, and the steps you have taken or plan to take.
  2. Notify affected individuals. Notify the affected individuals as soon as feasible. The notification must include enough information for individuals to understand the significance of the breach to them and to take protective steps. Include a description of the breach, the type of personal information involved, what you are doing to reduce risk, steps the individual can take (e.g., change passwords, monitor credit), and contact information for someone who can answer their questions.
  3. Notify other organizations if appropriate. If another organization or government institution could reduce the risk of harm (e.g., a bank could monitor for fraudulent transactions), you must notify them.
  4. Keep records. Maintain a record of every breach of security safeguards — whether or not it met the RROSH threshold — for 24 months. The OPC can request these records at any time.

Quebec Law 25 Breach Requirements

If you handle data of Quebec residents, Law 25 imposes additional requirements:

  • You must notify the Commission d'acces a l'information du Quebec (CAI) in addition to the OPC.
  • Notification to the CAI must include a preliminary assessment of the cause and a description of mitigation measures.
  • Failure to notify carries administrative monetary penalties of up to $10 million or 2% of worldwide turnover.

Building Your Breach Response Plan

The time to build your breach response plan is before a breach occurs. A strong plan includes:

  • A designated breach response team with clear roles (privacy officer, IT lead, legal counsel, communications lead).
  • A containment checklist: isolate affected systems, reset credentials, preserve forensic evidence.
  • Pre-drafted notification templates for the OPC, individuals, and third parties.
  • Contact information for external resources: legal counsel, forensic investigators, credit monitoring services.
  • An annual tabletop exercise to test the plan with your team.

Key Takeaways

  • Mandatory breach notification has been federal law since 2018 — ignorance is not a defence.
  • The RROSH test determines whether notification is required: assess the sensitivity of the data and the probability of misuse.
  • Notify the OPC and affected individuals "as soon as feasible" — delays increase legal risk and reputational damage.
  • Keep records of all breaches for 24 months, regardless of whether they triggered notification.
  • Build and test your breach response plan now — not during a crisis.

Start your compliance journey

CanCertify helps Canadian businesses navigate certifications, permits, and regulatory requirements with AI-powered guidance and automated workflows.

Get Started Free

Related Articles

Privacy Law

The Complete PIPEDA Compliance Guide for Canadian Businesses (2026)

Everything you need to know about Canada's federal privacy law — from the 10 fair information principles to practical implementation steps. Updated for 2026.

12 min readFeb 5, 2026
Privacy Law

Quebec Law 25: What Every Business Needs to Know

Quebec's privacy law has stricter requirements than PIPEDA. Here's how to comply if you have customers in Quebec.

8 min readFeb 3, 2026
Certifications

How to Get CyberSecure Canada Certified in 6 Weeks

Step-by-step guide to achieving CyberSecure Canada certification — the government's cybersecurity standard for small and medium businesses.

10 min readJan 28, 2026