News release

Privacy Commissioner launches breach risk self-assessment tool for organizations

March 26, 2025 – Gatineau, Quebec

Privacy Commissioner of Canada Philippe Dufresne has launched a new online tool that will help businesses and federal institutions that experience a privacy breach to assess whether the breach is likely to create a real risk of significant harm to individuals.

The privacy breach risk self-assessment tool is a convenient web-based application that guides users through a series of questions to assess the sensitivity of personal information that is involved in a data breach, and the probability that it will be misused.

The results provided through this online tool will help organizations to conduct a risk assessment following a data breach and determine their required next steps, including notifying affected individuals.

Organizations that are subject to Canada’s federal private-sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), and federal government institutions, are required to report breaches that pose a real risk of significant harm to the Office of the Privacy Commissioner of Canada and to notify affected individuals.

Real risk of significant harm includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, financial loss, identity theft, negative effects on one’s credit record, and damage or loss of property.

In determining whether there is a real risk of significant harm, organizations must consider the degree of sensitivity of the personal information involved and the probability that the information will be misused.

Privacy breaches may result from identity theft, scams, hacking or other unauthorized access, be it deliberate or accidental. Sensitive information often includes personal health and financial data.

Quote

“Privacy breaches are growing in scale, complexity and severity and can cause serious harm to the people who have been affected. This new online tool will make it easier for organizations to assess the potential impacts on individuals who have been affected, to determine what steps they need to take following a breach.”

Philippe Dufresne
Privacy Commissioner of Canada

Related links

• What is the privacy breach risk self-assessment tool?
• Assess if a privacy breach poses a real risk of significant harm to an individual

Media contact

Office of the Privacy Commissioner of Canada
communications@priv.gc.ca