Breach Notification Decisions


The Personal Information Protection Act requires breach notification to the Commissioner and affected individuals by private sector organizations where there exists "a real risk of significant harm" to an individual as a result of the loss or unauthorized access to or disclosure of personal information.

The Commissioner publicly makes available the decisions where a real risk of significant harm was identified and notification to affected individuals was required. Decisions where there was no real risk of significant harm identified are not published.

The Commissioner also makes available certain decisions made under the Health Information Act. A custodian may decide not to give notice of a breach where they believe notification to an affected individual could reasonably be expected to result in a risk of harm to the individual’s mental of physical health (section 60.1(5)). When deciding not to give notice, the custodian must notify the Commissioner. The Commissioner may confirm the custodian’s decision not to notify or by order require notice to the affected individual (section 85.1(2)).

Note: The search function for the table is limited to the content in the table, such as body name and summary. It does not scan all PDFs. However, the general search function in the top navigation of the website scans PDFs during a search.

Although the OIPC makes every effort to ensure that all information posted on the website is accurate and complete, the OIPC cannot guarantee its integrity. If there is any discrepancy between the information posted on our website and the original paper versions, the original paper document is authoritative.

  • Year:
  • Legislation:
  • Search:
Page: of 1
Decision Date Body
P2021-ND-003 Jan 26 2021 AltaSteel, Inc.
Summary: An email forwarding rule was set up without authorization. Three email accounts were sending emails... [More]
P2021-ND-002 Jan 26 2021 Deluxe Small Business Sales Inc., operating as MAC Highway
Summary: The organization discovered that the password for an administrative portal was compromised and an... [More]
P2021-ND-001 Jan 26 2021 Custom Electric Ltd.
Summary: A phishing attempt resulted in an internal email, with employee payroll earning statements... [More]
Page: of 1
Loading... Please Wait