must look at the context and the circumstances of the breach
to determine the extent to which the information is sensitive.
PIPEDA notes that although some information ( for example,
medical records and income records) are almost always
considered to be sensitive, any information can be sensitive
depending on the context.
When considering the probability that the personal information
will be misused, the organization should look at who
actually accessed or could have accessed the personal information,
the length of time the information was exposed and
the presence of any evidence of malicious intent.
Alberta has had similar breach notification rules in place
since 2010 under its Personal Information Protection Act,
which also require notification if there is a real risk of significant
harm. The Alberta Office of the Information and Privacy
Commissioner (AOIPC) has stated that to meet the significant
harm test the harm must be important, meaningful and
have non-trivial consequences or effects. The AOIPC further
noted in 2011 that:
“…This standard does not require that significant harm
will certainly result from the incident, but the likelihood
that it will result must be more than mere speculation or
conjecture. Further, there must be a cause and effect relationship
between the incident and the possible harm.”
The AOPIC has provided some guidance based on past
decisions on what constitutes a real risk of significant harm
as a result of a breach. For example, highly sensitive personal
information (such as social insurance numbers, drivers’
license numbers and credit card numbers in combination
with personal identifiers such as name and address) coupled
with circumstances where information was stolen for
nefarious purposes, where the recipients of the information
could not be determined or where the device containing the
personal information had no encryption – making access
possible and unknown – have led to a finding that a real risk
of significant harm exists as a result of a breach.
It is important to note that if a breach occurs – and it is
determined by the organization that it does not create a real
risk of significant harm to an individual – the organization
must still maintain a record of the breach for at least two years
thereafter. The record must include a description of the incident
(including when it happened and what information was
involved) and must also document whether notification was
made, and if not, why it was determined that there was not a
real risk of harm. The purpose for retaining these records is to
allow the OPCC to verify an organization’s compliance with
the Breach Rules. Therefore, if a breach is not reported to the
OPCC, the information that would have been provided to the
OPCC, if it had been reported, must be maintained.
Most importantly, these Breach Rules provide for fines of
up to $100,000 if an organization knowingly fails to report to
the OPCC, notify the affected individuals or fails to maintain
a record for all breaches.
This article provides a brief summary of what these
Breach Rules entail and should not be construed as legal
advice. Readers are encouraged to speak with legal counsel
to better understand how the Breach Rules will affect
their organization.
Kelsey M. Yakimoski is an associate
with Fillmore Riley LLP who practises
primarily in the area of civil litigation.
You may reach her at 204-957-8397 or
kyakimoski@fillmoreriley.com.
Paul K. Grower is a partner with Fillmore
Riley LLP who practises primarily in
the areas of taxation litigation, general
commercial litigation and privacy law.
You may reach him at 204-957 8369 or
pgrower@fillmoreriley.com.
LEGAL
It is important to note
that the new Breach
Rules under PIPEDA
apply to the organization
which is in control of the
personal information
involved in a breach.
NIRATPIX / 123RF
PILING CANADA 77
/profile_niratpix
link
link
