Assess if a privacy breach poses a real risk of significant harm to an individual
If your organization has experienced a privacy breach, use this online tool to assess:
- If the breach has created a real risk of significant harm to an individual, and
- If you must report the privacy breach
Once you have completed the questionnaire, the tool will indicate whether a real risk of significant harm is either Likely or Unlikely. This can help inform your next steps, including whether to report the breach.
About this tool
- The privacy breach risk self-assessment will guide you through a series of questions that will analyze key details of the breach to assess whether the circumstances create a real risk of significant harm.
- It does not ask for information that identifies you or your organization.
- The information that you enter is not collected or sent to us.
- You will be able to download and save the results. If you submit a privacy breach report to us, you can include the risk assessment results with your submission.
- The tool’s breach risk self-assessment result is only one element to consider in assessing a breach. The tool’s results do not replace your own judgment.
Why must organizations report a privacy breach?
- Businesses that are subject to Canada’s federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), must report any breach of security safeguards that creates a real risk of significant harm to an individual to the Office of the Privacy Commissioner of Canada (OPC).
- Federal government institutions are required, under the federal Policy on Privacy Protection, to report any such breaches to the OPC as well as to the Treasury Board of Canada Secretariat.
See our guidance on what you need to know about mandatory reporting of breaches of security safeguards for more information.
Learn more about the privacy breach risk self-assessment tool.
- Date modified: