If a privacy breach is reasonably expected to result in significant harm to an individual, section 36.3 requires public bodies to notify the affected individual and the Information and Privacy Commissioner.
Section 36.3 of the Freedom of Information and Protection of Privacy Act:
36.3 (1) In this section, "privacy breach" means the theft or loss, or the collection, use or disclosure that is not authorized by this Part, of personal information in the custody or under the control of a public body.
(2) Subject to subsection (5), if a privacy breach involving personal information in the custody or under the control of a public body occurs, the head of the public body must, without unreasonable delay,
(a) notify an affected individual if the privacy breach could reasonably be expected to result in significant harm to the individual, including identity theft or significant
(i) bodily harm,
(ii) humiliation,
(iii) damage to reputation or relationships,
(iv) loss of employment, business or professional opportunities,
(v) financial loss,
(vi) negative impact on a credit record, or
(vii) damage to, or loss of, property, and
(b) notify the commissioner if the privacy breach could reasonably be expected to result in significant harm referred to in paragraph (a).
(3) The head of a public body is not required to notify an affected individual under subsection (2) if notification could reasonably be expected to
(a) result in immediate and grave harm to the individual's safety or physical or mental health, or
(b) threaten another individual's safety or physical or mental health.
(4) If notified under subsection (2) (b), the commissioner may notify an affected individual.
(5) A notification under subsection (2) (a) or (b) must be made in the prescribed manner.
Section 36.3 defines the term “privacy breach” and requires the head of a public body to notify the affected individual(s) and the commissioner and when there is a reasonable expectation of significant harm. Subsection 2 (a) (i)-(vii) lists examples of outcomes that, if significant, would require notification under FOIPPA. However, that list is non-exhaustive and the potential harm of each privacy breach must be based on a harms assessment.
If a harms assessment concludes that notification is not required under this section of FOIPPA, a public body may still decide to notify affected individuals and the commissioner. In other words, this section of FOIPPA identifies circumstances where notification must occur but does not preclude notification where the risk of harm to individuals is deemed not to have met a “significant” threshold. In this case, notifications must be based on a balance of a harms assessment. Under this principle, the risk of harm to an impacted individual must be weighed against the risk that notification would cause them further harm. Public bodies should notify the impacted individual if the risk of harm, as a result of the breach, outweighs the risk of further harm to an individual, if notification occurs.
Section 36.3 (5) allows the form and manner of the notifications to be established in regulation. The list of information that public bodies must include in a privacy breach notification can be found in sections 11.1 and 11.2 of the Freedom of Information and Protection of Privacy Regulation.
Government has published its Guidance on Mandatory Privacy Breach Notifications to help public bodies determine when notification might be required, and to understand their obligations under this section.
Sectional Index of Commissioner's Orders
The Office of the Information and Privacy Commissioner maintains a Sectional Index of Commissioner’s orders organized by the Act’s section numbers.
The information in this manual is not intended to be and should not take the place of legal advice. 
Last updated: February 2023