The Personal Information Protection Act requires private sector organizations to notify the Commissioner and affected individuals where there exists "a real risk of significant harm" to an individual as a result of a privacy breach (section 34.1).
Decisions where there was a real risk of significant harm are made available. Decisions where there was no real risk of significant harm are not made available.
Under the Health Information Act, the Commissioner may confirm a custodian’s decision not to notify or by order require notice to an affected individual (section 85.1(2)). On occasion, those decisions are published.