Mandatory Breach Reporting (isn’t that bad)

Slides:

Advertisements

Similar presentations

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.

Advertisements

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

The Data Protection (Jersey) Law 2005.

Kathy O’Brien NEON and NORrad – Current PHI Sharing and How Best to Comply with PHIPA August 26, 2004.

PRIVACY COMPLIANCE An Introduction to Privacy Privacy Training.

1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,

BC Freedom of Information and Protection of Privacy Act

Mark S. Hayes – Blake, Cassels & Graydon LLP Privacy and Security – Some Observations Mark S. Hayes, Blake, Cassels & Graydon LLP 7th CACR Privacy and.

Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.

The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.

A NEW GOVERNANCE PARADIGM: Canadian Privacy Law Developments March 11, 2004 Haliburton, Ontario Canada Volunteerism Initiative Arts Council for Haliburton.

Anglican Province of Canada Privacy Policy. Commitment to Privacy The Privacy Policy, including the Web Privacy Statement, is the Anglican Province of.

Understanding Privacy Breach Risk: Ontario Universities Risk Management Symposium Presented by Brian Rosenbaum LL.B. Director, Legal and Research Practice.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

The ICO and the DPA Ken Macdonald Assistant Commissioner Information Commissioner’s Office ScotStat Public Sector Analysts Network 30 th September 2010.

The Information Commissioner’s Office David Evans.

Privacy Law for Network Administrators Steven Penney Faculty of Law University of New Brunswick.

Part 6 – Special Legal Rights and Relationships Chapter 35 – Privacy Law Prepared by Michael Bozzo, Mohawk College © 2015 McGraw-Hill Ryerson Limited 34-1.

EU Data Protection IT Governance view Ger O’Mahony 12 th October 2011.

The Data Protection Act What Data is Held on Individuals? By institutions: –Criminal information, –Educational information; –Medical Information;

PIPEDA and Receivables Management Robin Gould-Soil Receivables Management Association of Canada November 16, 2011.

Privacy Challenges for Condominium Corporations and Condominium Managers presented to the Association of Condominium Managers of Alberta by Carmen Mann,

BC Public Libraries November, 2008 Privacy Principles.

Malcolm Crompton APEC Information Privacy Framework: review, impact, & progress APEC Symposium on Information Privacy Protection in E Government & E Commerce.

PROTECTION OF PERSONAL DATA. OECD GUIDELINES: BASIC PRINCIPLES OF NATIONAL APPLICATION Collection Limitation Principle There should be limits to the collection.

INTRODUCTION TO DATA PROTECTION An overview of the Irish Data Protection legislation.

Top 10 Series Changes to HIPAA Devon Bernard AOPA Reimbursement Services Coordinator.

Privacy Practices.

Breakaway Session 2: Data Protection and The Role of the Data Protection Supervisor Michael Mingle Director, NTSS Solutions (UK) D ATA P ROTECTION C ONFERENCE.

Privacy Information for Advisors. Agenda PIPEDA Advisor Required Privacy Program Our MGA Privacy Program Recommendations for Advisors.

APEC Privacy Framework “The lack of consumer trust and confidence in the privacy and security of online transactions and information networks is one element.

Financial Times Matheson is ranked in the FT’s top 10 European law firms Matheson has also been commended by the FT for corporate law,

© University of Reading Lee Shailer 06 June 2016 Data Protection the basics.

Introduction to the Australian Privacy Principles & the OAIC’s regulatory approach Privacy Awareness Week 2016.

Data protection—training materials [Name and details of speaker]

The Health Information Protection Act. What is the Health Information Protection Act (HIPA)? HIPA is legislation that speaks to access to, and protection.

Protection of Personal Information Act An Analysis on the impact.

Canada’s Breach Reporting Law What you need to know Timothy M. Banks, CIPP/C Dentons Canada LLP July 21, 2015.

Nassau Association of School Technologists

Data Protection Officer’s Overview of the GDPR

PRIVACY TRAINING For CAILBA members

Privacy Education Session CMHA-WECB/CCHC Volunteers/Students

Privacy principles Individual written policies

Responding to a Data Breach 360° of IT Compliance

Privacy principles Individual written policies

General Data Protection Regulation (GDPR

General Data Protection Regulation

PERSONAL DATA PROTECTION ACT 2010

Privacy Breach Response and Reporting

GENERAL DATA PROTECTION REGULATION (GDPR)

Cyberforum 2018 March 8, 2018 Los Angeles GDPR & SECURITY

GDPR - New Data Protection Regulation

Privacy & Access to Information

Move this to online module slides 11-56

Security measures Introducing Risk Assessment in GDPR

Are you processing personal data lawfully?

State of the privacy union

G.D.P.R General Data Protection Regulations

Data Protection What’s new about The General Data Protection Regulation (GDPR) May 2018? Call Kerry on Or .

Governing the risk of GDPR compliance

IAPP TRUSTe SYMPOSIUM 9-11 JUNE 2004

Reflections on PIPEDA and the Future of Privacy Law in Canada

Data Protection for SDS Employers Alison Johnston Lead Policy Officer (Scotland) Information Commissioner’s Office.

Upcoming PIPEDA Changes

Move this to online module slides 11-56

Explain the role of ethics in financial- information management

Colorado “Protections For Consumer Data Privacy” Law

Presentation transcript:

Mandatory Breach Reporting (isn’t *that* bad) Vance Lockton Strategic Policy Analyst November 6, 2018

The Office of the Privacy Commissioner of Canada (OPC) Mission: To protect and promote the privacy rights of individuals. Mandate: To oversee compliance with the Privacy Act, the Personal Information Protection and Electronic Documents Act, (PIPEDA) and Canada’s Anti-Spam Legislation. (CASL) Structure: Divided into three sectors – Compliance, Policy and Promotion, and Corporate Services.

Personal Information Protection and Electronic Documents Act (PIPEDA) Applies: To the collection, use and disclosure of personal information in the course of commercial activity Across Canada, except AB, BC, PQ (each of which has substantially similar legislation) Purpose: To establish … rules to govern collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals … and the need of organizations to collect, use and disclose personal information ….

PIPEDA – 10 Principles Accountability Safeguards Identifying Purposes Openness Consent Individual Access Limiting Collection Challenging Compliance Limiting Use, Disclosure & Retention Accuracy

Mandatory Breach Reporting Key Obligations Establish security safeguards appropriate to the sensitivity of the information Report to OPC any breach of security safeguards that create a “real risk of significant harm”, and notify affected individuals Keep record of all breaches

Mandatory Breach Reporting What are security safeguards? Physical, organizational or technical measures designed to protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use or modification. What is a breach of security safeguards? The loss of, unauthorized access to, or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards, or the failure to establish them.

Mandatory Breach Reporting What is “significant harm”? Defined broadly, and includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on a credit record, damage to or loss of property.

Mandatory Breach Reporting How does organization determine a “real risk of significant harm”? Factor 1: Sensitivity Consider (a) type of information, and (b) context. Factor 2: Probability of misuse Is there evidence of malicious intent? Was the information disclosed publicly? Was the information encrypted or otherwise not easily accessible?

Mandatory Breach Reporting Who reports the breach? The organization with “control” Per PIPEDA’s accountability principle, likely the original collector of the information (the “principal organization”) Make sure you have appropriate contracts in place with your 3rd-party processors

Mandatory Breach Reporting What to include in a breach report Description of the circumstances / cause Date or period of breach Types of PI subject of the breach Number of impacted individuals Description of steps taken/to be taken to reduce/mitigate harm, and to notify individuals Name and contact information

Mandatory Breach Reporting What to include in a notice to individuals Description of the circumstances / cause Date or period of breach Types of PI subject of the breach Description of steps taken/to be taken to reduce/mitigate harm Description of steps individuals can take to further reduce harm Contact information

Mandatory Breach Reporting Breach Reporting Experience Provide report to OPC “as soon as feasible” OPC takes graduated approach to response: no further action; follow-up with organization; initiation of investigation

Mandatory Breach Reporting Fines It is an offence to knowingly contravene the reporting, notification or record-keeping requirements. Summary conviction ($10,000 maximum fine) or indictable offence ($100,000 maximum fine) OPC does not prosecute offences or issue fines; can refer information to the Attorney General of Canada.

Engaging with the OPC Shift to Promotion Achieving compliance via collaboration/education Engagement Opportunities Business Advisory Directorate Advisory Consultations; Privacy Checkups InfoCentre: 1-800-282-1376

Resources What you need to know about mandatory reporting of breaches of security safeguards Breach reporting form OPC Privacy Toolkit for Businesses Tips for Containing and Reducing the Risks of a Privacy Breach Securing Personal Information: A Self-Assessment Tool

Questions? Vance Lockton vance.Lockton@priv.gc.ca | 416-973-7266

Learn more at www.priv.gc.ca