Shared Publication

of the information and should protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use or modification. A “breach of security safeguards” occurs where loss of, unauthorized access to or unauthorized disclosure of personal information results from a breach of an organization’s security safeguards or from the failure to establish a security safeguard. It is important to note that the new Breach Rules under PIPEDA apply to the organization which is in control of the personal information involved in a breach. The OPCC has confirmed that it is reasonable to interpret the principal organization as having “control” over the information in such circumstances and therefore bearing the responsibility for reporting the breach. For example, if a breach occurs at an arm’s length storage facility hired by the organization to store personal information, it will be the organization’s responsibility to comply with the Breach Rules as further outlined below. The Breach Rules outline that if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual, the organization – and if applicable, any other third party – is then obligated, as soon as it is feasible to do so, to: • File a report with the OPCC; • Notify the individual(s) whose personal information was breached; and, • Notify any other organization or government entity that may be able to assist in reducing or lessening any harm to individuals (e.g. the police, credit reporting agencies, etc.). In the report filed with the OPCC, the organization must (to the extent that the organization knows): • Describe the circumstances of the breach and the cause; • Identify the period when the breach occurred; • Describe the personal information that is the subject of the breach; • Identify the number of individuals affected; • Describe the steps undertaken to reduce or lessen the risk of harm to the affected individuals; • Describe the steps undertaken to notify the affected individuals; and, • Identify the contact person at the organization who will be able to answer any further questions from the OPCC about the breach. It is expected that the organization will update this report as further information is gathered/determined. In the notification provided to the individual, the organization must (to the extent that the organization knows): • Describe the circumstances of the breach; • Identify the period when the breach occurred; • Describe the personal information that is the subject of the breach; • Describe the steps undertaken to reduce or lessen the risk of harm to the individual; • Describe the steps that the individual could take to reduce their risk of harm (e.g. changing passwords, monitoring financial account activity, etc.); and, • Identify the contact person at the organization who will be able to answer any further questions from the individual about the breach. The goal of the notification to the individual is to provide sufficient information to allow the individual to understand the significance to them of the breach, such that they can take steps, if any are possible, to reduce the risk of or mitigate the harm. Also, it is expected that the individuals affected will be directly contacted by the organization (phone, email, mail, etc.), subject to exceptions of harm to the individual and/or hardship to the organization and/or lack of contact information. If any of the exceptions apply, indirect notification – via public communications (e.g. media, website, etc.) – will need to be utilized. PIPEDA specifies that “significant harm” includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property. In determining whether there is a “real risk” of “significant harm,” the sensitivity of the information and the probability that it will be misused need to be considered. When considering the sensitivity of the information, the organization LEGAL LEAF / 123RF Medical records and income records are almost always considered to be sensitive but any information can be sensitive depending on the context 76 Q4 2018 www.pilingcanada.ca /profile_leaf /www.pilingcanada.ca