Sometimes, for institutions to define a material privacy breach tends to be a challenge. One institution will deem something as a material breach and another will not. I know additional standardization is an ongoing effort across the government.
Because the level of sensitivity is discretionary, you could have something that is extremely sensitive but implicates only one individual, whereas you could have something of very low sensitivity that implicates hundreds, sometimes thousands. It's left to the discretion of each institution to determine whether something is deemed to be a material privacy breach, and to therefore notify the Privacy Commissioner's office, as well as the Treasury Board.