The Office of the Privacy Commissioner released a report this week revealing the office’s findings with respect to a survey of organizations’ data breach record-keeping practices. They surveyed seven telecommunication companies (which were not named) to get a sense of whether organizations were keeping the right records and, importantly, to look at whether organizations were properly concluding on the all-important question: Does this incident amount to a real risk of significant harm?

Under the Personal Information Protection and Electronic Documents Act, an organization has to report a data breach if there is RROSH. There’s definitely not enough in the law or available guidance to help you figure if that RROSH threshold is met. All we know for certain is that you are supposed to evaluate the sensitivity of the information that was compromised and likelihood that the information would be misused.

A few things stand out for me in the OPC report.

When the breach provisions came into force, the commissioner got the power to gain access, on request, to breach records that organizations are required to maintain. Meanwhile, the OPC’s audit powers require reasonable grounds to poke around. Companies should be aware of this particular breach of power. To my recollection, this is the first time the OPC has used it or at least has publicized that it has. Can we expect more of these breach report “inspections”?

Second, in 20% of cases in which records were kept about an incident, the OPC either disagreed with the organization’s conclusion that there was no RROSH or the OPC concluded the records kept were inadequate to evaluate whether there was RROSH. That’s a high number of cases and I can’t help but think that the organizations are pretty glad the OPC didn’t name names.

Third, the OPC does this helpful little bit in its report where they give concrete examples of when they would conclude that there is RROSH (or when they conclude there is not one). I’d welcome more concrete examples from them. The examples they gave were a little too easy, though — low-hanging fruit — where making the conclusion is pretty obvious. I would imagine they have tons of examples now (reporting has been in place since November 2018) of the more difficult cases. 

Call me crazy, because more clarity and detailed guidance means less reliance on privacy lawyers like me, but I’d like to see more transparency and regular updates from them on the issue of a breach (and other issues too, frankly). Sometimes I’m told I’m not cynical enough, but in my experience, most businesses want to handle privacy — and breaches —  well. And we can all learn from precedent.