On March 26, 2025, the Office of the Privacy Commissioner of Canada (OPC) announced that a new online tool is now available to assist organizations in assessing the likelihood of whether a privacy breach creates a real risk of significant harm (RROSH) to individuals.

The OPC reiterated that organizations must consider the degree of sensitivity of the personal information involved and the probability that the information will be misused in determining whether a RROSH exists. Examples of RROSH include bodily harm, damage to reputation or relationships, financial loss, humiliation, identity fraud, and negative effects on one’s credit record.

The new privacy breach risk self-assessment tool prompts users to answer a series of questions and uses the provided answers to assess the sensitivity of the personal information involved and the probability that it will be misused. For example, the tool includes questions such as:

  • What types of personal information were breached?
  • How many people had their personal information breached?
  • What was the format of the personal information involved in the breach?
  • Who received or obtained the breached personal information?
  • What is the relationship between the party who received or obtained the personal information and the individual(s) whose personal information was breached?

Organizations are not prompted to enter any identifying information into the tool, and the OPC states that the information entered is not collected or sent to the OPC.

Once an organization completes the questionnaire, the tool indicates whether it is “likely” or unlikely” that the privacy breach creates a RROSH to individuals. The OPC has clarified that the tool’s breach risk self-assessment result will aid organizations in determining their reporting and notification obligations but is only one element to consider in assessing a breach. Specifically, the results generated do not constitute an official position or decision from the OPC.

Additional information about the OPC’s new privacy breach risk self-assessment tool can be found here.

Summary By: Steffi Tran

 

E-TIPS® ISSUE

25 04 16

Disclaimer: This Newsletter is intended to provide readers with general information on legal developments in the areas of e-commerce, information technology and intellectual property. It is not intended to be a complete statement of the law, nor is it intended to provide legal advice. No person should act or rely upon the information contained in this newsletter without seeking legal advice.

E-TIPS is a registered trade-mark of Deeth Williams Wall LLP.

Steffi Tran, Associate, Deeth Williams Wall LLP
By Steffi Tran
April 16, 2025
Privacy