This is a case where PIPEDA is a good model to follow. I think the government got it right in PIPEDA for mandatory breach notification. That means, first, it is only notification where there is a real risk of significant harm. You don't want to alarm people for nothing.
On October 6th, 2016. See this statement in context.