The Personal Information Protection and Electronic Documents Act has data breach provisions within it that are likely going to come into force next year. One of the biggest issues is how these provisions are going to be interpreted by organizations that have to abide by them and, maybe more importantly, by the Privacy Commissioner of Canada who will enforce them.
One of the phrases that will require interpretation is what it means to experience a breach where there is the possibility of a real risk of significant harm. This will be an important threshold because organizations only have to report incidents when the risk of significant harm is present. Luckily, we do have a little guidance as to what this phrase means because it is the same standard that has been used in Alberta for a number of years now.
And, now, we may have received another helpful clue as to what this threshold means. The Office of the Privacy Commissioner released draft guidelines for public comment late last week wherein they state, “By 'significant harm,' we mean 'bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on (one’s) credit record and damage to or loss of property.'”
At first blush, I think this is a really good interpretation, though I’m not that sure it’s completely consistent with the way the Alberta Commissioner has been interpreting the same phrase. Still, it's quite useful to know what the OPC sees as harmful with respect to a privacy violation. I think we will need a bit more time to sort this out, but it is good to see the OPC making such a pronouncement on this at this time, while we are the early stages of data breach notification under PIPEDA.
While I have your attention relating to what the OPC released, I should call out in a bit more detail the context in which they made the statement about significant harm. It was part of a paper that explored the role of consent and, in particular, suggested that there are “no-go” zones where organizations would always be seen as having acted unreasonably. You should review it in case your organization needs an opportunity to submit something in response. You can find it here.
Lastly, before I let you go on with your long weekend and before I start making my famous turkey stuffing, I need to bring to your attention a beta program the IAPP is running for a short period of time. It pertains to the fact that the CIPP/E and CIPM exams have been translated into German and French — the latter probably being more relevant to us in Canada. So, if you were thinking of taking these exams and prefer the option of not taking them in English, now is a good time to sign up because the regular $550 fee is reduced to $100.
If you want to comment on this post, you need to login.