In fact, this would not be my opinion, but there's an agreement we have in terms of the three characteristics of what is considered a breach that needs to be reported to the Privacy Commissioner.
It's that the information is directly related to personal information that is sensitive, such as financial or medical information, or to a personal identifier such as the social insurance number. It's that there is a risk of identity theft or fraud. And it's if the incident may cause damage to the career, reputation, financial situation, security, health or well-being of the person.
This is the criteria that are used to assess if it is necessary to report the breach to the Privacy Commissioner.