![Default Article Featured Image_laptop-newspaper-global-article-090623[95].jpg](https://images.contentstack.io/v3/assets/bltd4dd5b2d705252bc/blt61f52659e86e1227/64ff207a8606a815d1c86182/laptop-newspaper-global-article-090623[95].jpg?width=3840&quality=75&format=pjpg&auto=webp)
Regular readers of this column will recall that previously we wrote about
to the Alberta
Personal Information Protection Act
(PIPA) that came into effect May 1, 2010. One of the amendments requires that organizations covered by PIPA notify the province’s privacy commissioner of a loss of, unauthorized access to or disclosure of personal information where a reasonable person would consider that there exists a “real risk of significant harm” to an individual.
"Since this amendment came into effect, the Office of the Information and Privacy Commissioner (OIPC) has published a number of breach notification decisions on its Web site. These published decisions can provide some guidance to organizations that have experienced a breach incident and need to determine if the breach meets the threshold of “real risk of significant harm.”
In
, an organization was notified that some documents containing personal information had been found in the area of the organization’s U.S. headquarters. The organization recovered a significant number of the documents but was not able to determine whether the files had been disposed of inadvertently as a result of carelessness or if it was an intentional action intended to cause harm.
During the resulting investigation, the organization also discovered that other underwriting files were not in their designated locations and might have been missing from the premises. The OIPC determined that the personal information affected was of moderate to high sensitivity (it included individuals’ names, addresses, Social Security numbers, financial account numbers, drivers' license numbers and more) and could be used to create comprehensive profiles that could be used for identity theft and/or fraud. There was also a real risk due the sensitivity of the information and the fact that the cause of the incident, the whereabouts of the other missing files and the length of time the files had been missing were all unknown.
The OIPC required that the organization notify individuals in Alberta affected by the breach.
As a side issue, it was noted that, although this breach occurred in the United States, the OIPC had jurisdiction, as the personal information involved was that of a number of Albertans and the personal information had been collected by an organization which is licensed to operate in the province.
In
, the OIPC determined there was a real risk of significant harm after an organization’s payroll files were found in a dumpster. The files had been stored in an offsite locker (the lock had been cut off by an unknown individual), the organization did not keep logs of what records were stored in the locker and it is unknown whether all the records kept in the locker were recovered. Given that the affected personal information included names, addresses, birth dates and SINs, and the fact that cause of the access to the storage locker was unknown, the organization was required to notify former employees (it had already notified current employees).
In
, a financial organization inadvertently faxed a document containing sensitive financial information to the wrong recipient when transferring a customer’s account to another institution. The organization faxed the document to the customer’s workplace and a coworker drew attention to the fact that the document was on the fax machine. When the customer notified the organization about the incident, it offered the customer a complimentary subscription to a credit bureau monitoring service. The OIPC determined that although the individual was aware of the incident, the organization had not notified the affected individual and, as there was a real risk of significant harm (it was unknown how long the fax had been left on the machine and there was no way to know how many people may have had access to it), the organization needed to notify the individual.
As can been learned from the above examples, uncertainties about the nature of the event and the fact that the organizations were unaware of how, whom or whether the personal information was accessed contributed to the requirement to notify affected individuals. In each of these cases, the sensitive nature of the personal information disclosed contributed to the decision to require notification. An examination of these cases (there are currently five such decisions on the OIPC Web site) may be of help to organizations in determining whether notification to the commissioner is appropriate under the circumstances.
