New Tool Enhances Privacy Breach Assessments for Ontario's Charities and Not-for-Profits

By Esther Shainblum and Martin U. Wissmath

Apr 2025 Charity & NFP Law Update
Published on April 30, 2025

 

   
 

In response to the increasing complexity and severity of privacy breaches, the Office of the Privacy Commissioner of Canada (OPC) launched a Privacy Breach Risk Self-Assessment Tool on March 26, 2025. This web-based application assists organizations, including Ontario's charities and not-for-profits, in determining whether a breach poses a “Real Risk of Significant Harm” (RROSH) to individuals, a key criterion under the Personal Information Protection and Electronic Documents Act (PIPEDA) for mandatory breach reporting and notification. ​

The self-assessment tool guides users through a dynamic questionnaire that evaluates the sensitivity of the compromised personal information and the likelihood of its misuse. Based on the responses, the tool indicates whether a breach is likely to result in significant harm, aiding organizations in deciding on the necessity of reporting the breach to the OPC and notifying affected individuals. ​

Charitable and not-for-profit organizations in Ontario often handle sensitive personal information, such as donor details, beneficiary data, and volunteer records. Although not always subject to PIPEDA, unless engaged in commercial activities, charities and not-for-profits should report any breach that presents a RROSH to individuals as a best practice. The new tool provides a structured approach to assess such risks, ensuring compliance with legal obligations and reinforcing trust with stakeholders. ​

Key Considerations:

  • Mandatory Reporting: Organizations subject to PIPEDA must report breaches that pose a Real Risk of Significant Harm to the OPC and notify affected individuals. ​
    • Charities and not-for-profits not subject to PIPEDA should report breaches to maintain a best-practice standard.
  • Record-Keeping: All breaches, regardless of their assessed risk level, must be documented and records maintained for a minimum of two years. ​
  • Risk Assessment Factors: The sensitivity of the information and the probability of its misuse are critical in determining the risk level. ​

The introduction of the Privacy Breach Risk Self-Assessment Tool represents a significant advancement in supporting organizations to meet their privacy obligations under PIPEDA. For Ontario's charities and not-for-profits, leveraging this tool could enhance their ability to respond effectively to privacy breaches, safeguard personal information, and maintain public trust. ​

For more information and to access the tool, visit the OPC's official website: https://www.priv.gc.ca/.

   
 

Read the April 2025 Charity & NFP Law Update