Language selection


Receiving a privacy breach notification


Changes to Canada’s federal private-sector privacy law came into force in November 2018. The changes require organizations that hold your personal information to notify you in the event of a breach of their security safeguards that could lead to a real risk of significant harm.

Here’s what you should know if you are concerned you may have been impacted or if you get a breach notification from a company.

On this page

How has the law changed?

Over the last few years, we have seen numerous significant and high-profile data breaches involving the personal information of Canadians held by organizations. Compromised data can be used to damage an individual’s reputation or financial standing.

In cases where a breach of security safeguards creates a real risk of significant harm, the Personal Information Protection and Electronic Documents Act (PIPEDA) requires organizations to not only report the breach to the Office of the Privacy Commissioner of Canada, but also to notify all affected individuals. See the section on Breaches of security safeguards in PIPEDA.

To determine whether a breach poses a real risk of significant harm, organizations must conduct a risk assessment. Examining the relevant factors, as well as who may have been affected, can take time, but the law states that the affected organization should issue notifications as soon as feasible.

What does this mean for me?

Once an organization has determined that a breach of security safeguards involving a real risk of significant harm has occurred it must:

  • contact you as soon as feasible
  • directly notify you by email, telephone or another appropriate form of communication
  • indirectly notify you – only in certain cases – for example, if it doesn’t have your contact information. Indirect notification should be made via a prominent public announcement
  • give you easy-to-understand information

What can I do?

If you receive a breach notification from an organization:

Read the notice carefully

The notice will provide you with details about the breach, including:

  • a description of the compromised personal information, to the extent that information is known
  • the steps the organization has taken to reduce any risk of harm to you
  • what you can do to reduce your risk
  • contact information of someone at the organization who can provide further information

Keep your breach notification in a safe place

It’s important you review this notice to fully understand the scope of the breach and any risks to your personal privacy. Treat the notice seriously, and keep it in a safe place in case you need the information later on.

Change your password

If your password was compromised in a breach, it’s time to change it. If someone obtains your password, they may be able to access your account, see your activities, and even pretend to be you. This problem becomes even more complicated if you use the same password for different accounts. Bad actors will test the same combination of usernames and passwords for other accounts you may have.

Read our advice on creating and managing passwords.

Monitor affected accounts

If you are concerned about a breach, keep a close eye on potentially affected accounts—especially if the breach involves sensitive information like financial information. Contact your financial institution if you think your accounts may have been compromised.

Consider subscribing to services such as credit alerts to reduce the potential for fraud, or order a credit report and score to ensure you have an up-to-date account of your standing.

Some companies that have experienced a breach will offer customers free credit monitoring for a period of time. If you receive a breach notification from a company, ask if this service is available.

If you suspect you are a victim of identity theft, contact the police.

What do I do if I have questions or concerns about a breach?

The first thing you should do is contact organization involved in the breach directly. You can raise privacy concerns with the privacy officer at the organization. Use the contact information provided in the breach notification.

Stay vigilant

Bad actors will sometimes wait for a while between stealing your personal information and then using it. Don’t assume that just because nothing happened in the first few days after a breach that your information is safe.

Be on the lookout for social engineering attacks. Social engineering is the practice of manipulating people in order to obtain confidential or sensitive data. A social engineer could use influence and persuasion, sometimes along with stolen information, to get you to divulge more personal information. Always take precautions to protect your personal information. Read our advice: Proceed with caution: Avoid malicious software.

Date modified: