Download presentation
Presentation is loading. Please wait.
1
Mandatory Breach Reporting (isn’t *that* bad)
Vance Lockton Strategic Policy Analyst November 6, 2018
2
The Office of the Privacy Commissioner of Canada (OPC)
Mission: To protect and promote the privacy rights of individuals. Mandate: To oversee compliance with the Privacy Act, the Personal Information Protection and Electronic Documents Act, (PIPEDA) and Canada’s Anti-Spam Legislation. (CASL) Structure: Divided into three sectors – Compliance, Policy and Promotion, and Corporate Services.
3
Personal Information Protection and Electronic Documents Act (PIPEDA)
Applies: To the collection, use and disclosure of personal information in the course of commercial activity Across Canada, except AB, BC, PQ (each of which has substantially similar legislation) Purpose: To establish … rules to govern collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals … and the need of organizations to collect, use and disclose personal information ….
4
PIPEDA – 10 Principles Accountability Safeguards Identifying Purposes
Openness Consent Individual Access Limiting Collection Challenging Compliance Limiting Use, Disclosure & Retention Accuracy
5
Mandatory Breach Reporting
Key Obligations Establish security safeguards appropriate to the sensitivity of the information Report to OPC any breach of security safeguards that create a “real risk of significant harm”, and notify affected individuals Keep record of all breaches
6
Mandatory Breach Reporting
What are security safeguards? Physical, organizational or technical measures designed to protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use or modification. What is a breach of security safeguards? The loss of, unauthorized access to, or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards, or the failure to establish them.
7
Mandatory Breach Reporting
What is “significant harm”? Defined broadly, and includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on a credit record, damage to or loss of property.
8
Mandatory Breach Reporting
How does organization determine a “real risk of significant harm”? Factor 1: Sensitivity Consider (a) type of information, and (b) context. Factor 2: Probability of misuse Is there evidence of malicious intent? Was the information disclosed publicly? Was the information encrypted or otherwise not easily accessible?
9
Mandatory Breach Reporting
Who reports the breach? The organization with “control” Per PIPEDA’s accountability principle, likely the original collector of the information (the “principal organization”) Make sure you have appropriate contracts in place with your 3rd-party processors
10
Mandatory Breach Reporting
What to include in a breach report Description of the circumstances / cause Date or period of breach Types of PI subject of the breach Number of impacted individuals Description of steps taken/to be taken to reduce/mitigate harm, and to notify individuals Name and contact information
11
Mandatory Breach Reporting
What to include in a notice to individuals Description of the circumstances / cause Date or period of breach Types of PI subject of the breach Description of steps taken/to be taken to reduce/mitigate harm Description of steps individuals can take to further reduce harm Contact information
12
Mandatory Breach Reporting
Breach Reporting Experience Provide report to OPC “as soon as feasible” OPC takes graduated approach to response: no further action; follow-up with organization; initiation of investigation
13
Mandatory Breach Reporting
Fines It is an offence to knowingly contravene the reporting, notification or record-keeping requirements. Summary conviction ($10,000 maximum fine) or indictable offence ($100,000 maximum fine) OPC does not prosecute offences or issue fines; can refer information to the Attorney General of Canada.
14
Engaging with the OPC Shift to Promotion
Achieving compliance via collaboration/education Engagement Opportunities Business Advisory Directorate Advisory Consultations; Privacy Checkups InfoCentre:
15
Resources What you need to know about mandatory reporting of breaches of security safeguards Breach reporting form OPC Privacy Toolkit for Businesses Tips for Containing and Reducing the Risks of a Privacy Breach Securing Personal Information: A Self-Assessment Tool
16
Questions? Vance Lockton |
17
Learn more at www.priv.gc.ca
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.