A comprehensive reference for Ontario lawyers advising on privacy breaches — covering PIPEDA mandatory notification, the real risk of significant harm assessment, intrusion upon seclusion tort, and OPC complaint procedure.
Privacy breach response is now a core competency for Ontario lawyers advising businesses, employers, and health-care organizations. The mandatory breach notification provisions of PIPEDA came fully into force in November 2018, and the Ontario Court of Appeal's recognition of privacy torts has created significant civil litigation exposure for organizations that mishandle personal information.
This guide covers the PIPEDA mandatory notification framework, how to assess "real risk of significant harm," the three Ontario privacy torts, and the OPC complaint and investigation process.
The Personal Information Protection and Electronic Documents Act (PIPEDA), S.C. 2000, c 5 applies to private sector organizations in Ontario (as a province without substantially similar legislation for the private sector). The mandatory breach notification obligations in ss. 10.1-10.3 require organizations to act promptly.
Stop ongoing access; secure systems; preserve evidence
Forensic preservation critical for regulatory and litigation purposes
Determine if breach creates real risk of significant harm
Consider: sensitivity of information, probability of harm, number affected
Report to Office of the Privacy Commissioner of Canada
PIPEDA requires report if real risk of significant harm exists
Direct notification to affected individuals
Must include: what happened, what information was involved, what organization is doing, contact info
Create and maintain record of all breaches
OPC can request breach records; failure to maintain is an offence
Fix root cause; update security safeguards; document learnings
Regulators consider post-breach remediation in enforcement decisions
Whether notification is required turns on whether the breach creates a "real risk of significant harm." The OPC has published guidance on the factors to consider. This assessment must be documented.
| Factor | Higher Risk (Notify) | Lower Risk |
|---|---|---|
| Sensitivity of Information | Financial, health, SIN, passwords, intimate images | Publicly available information; general contact details |
| Probability of Misuse | Malicious actor with intent to exploit; data already published | Accidental disclosure; no evidence of misuse |
| Potential Harm Type | Identity theft, financial fraud, physical harm, discrimination | Embarrassment only; no financial or physical risk |
| Number of Individuals | Large number affected; systemic breach | Isolated incident; single individual |
| Vulnerability of Individuals | Children, seniors, health patients, domestic violence victims | General adult population |
Ontario courts have recognized three privacy torts that create civil liability independent of regulatory sanctions:
Privacy breach class actions have increased significantly since Jones v Tsige. The combination of a recognized tort without proof of individual financial loss (damages awarded on a per-capita basis) makes privacy breaches well-suited for certification.
Under PIPEDA (as amended by the Digital Privacy Act), organizations must report a breach of security safeguards to the Office of the Privacy Commissioner of Canada (OPC) and notify affected individuals if it is reasonable to believe the breach creates a real risk of significant harm. Notification must be given as soon as feasible after the organization determines that the breach has occurred. Organizations must also maintain a breach record for 24 months.
Intrusion upon seclusion is a common law privacy tort recognized by the Ontario Court of Appeal in Jones v Tsige [2012] ONCA 32. The three elements are: (1) the defendant intentionally or recklessly invaded the plaintiff's private affairs or concerns; (2) the plaintiff had a reasonable expectation of privacy in the matter intruded upon; and (3) a reasonable person would regard the invasion as highly offensive, causing distress, humiliation, or anguish. General damages of up to $20,000 are available without proof of actual financial loss.
Yes. Ontario employees can bring claims against employers for privacy breaches under two main avenues: (1) a complaint to the Office of the Privacy Commissioner of Canada under PIPEDA for federally regulated employers; and (2) a civil action for intrusion upon seclusion or other privacy torts recognized in Ontario. Privacy breach class actions against employers are increasingly common.
The real risk of significant harm threshold is met when it is reasonable to believe that a breach of security safeguards creates a real (not remote) risk of significant harm to an individual. Significant harm includes: bodily harm, humiliation, damage to reputation or relationships, loss of employment or business opportunities, financial loss, identity theft, and negative effects on credit.
Atticus helps Ontario privacy lawyers manage breach response files, track OPC timelines, and draft privacy assessments faster with Canadian legal AI — fully PIPEDA-aware and LSO compliant.
Start Free Trial