Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
The Office of the Privacy Commissioner of Canada released an interesting tool this past week. Essentially, it's an online survey that asks you to fill out a series of questions that are relevant if your organization experiences a breach of security safeguards, aka a data breach.
Legally, as I'm sure you're aware, when you experience a data breach, you must report it to the OPC and to the affected individual if the breach will cause a real risk of significant harm — RROSH, which unfortunately sounds too much like "rash."
The law and guidance say that when organizations are considering if there is a RROSH, they need to consider the sensitivity of the information as well as the likelihood the information will be misused.
This standard has been in play in Alberta since 2010 and came into effect at the federal level in 2018. The Quebec law uses slightly different wording, but seeing as the laws are declared substantially similar, it's likely the regulator would interpret that threshold as being the same as the other laws.
This survey tool I'm writing about today tries to help the organization go deeper than what the law and guidance has said to date. Through detailed questions that provide the responder with a myriad of options to tick off as answers, it is meant to help the decision maker with the obligation of determining if the RROSH threshold has been met.
In my practice, I've counseled hundreds of organizations that have experienced breaches. Some breaches have a factual foundation that is so black and white that providing an opinion on RROSH is somewhat trivial and the clients rarely second guess my opinion.
More often than not, however, the factual foundation is in a bit of a grey zone. I'll set out my opinion, explain the consequences of reporting versus not reporting when there is doubt, and provide a risk-based analysis for the client to make the ultimate decision.
Now, my clients and I have an added tool to help us grapple with these grey-zone situations. For fun — yes, this is what privacy nerds do for fun — I ran a number of scenarios through the survey that I, and my clients, previously thought fell into the grey area.
For transparency, more than 50% of the time my clients would report. However, when I ran the fact scenarios through the survey tool, the net result was a somewhat qualified conclusion that the RROSH threshold was not actually met.
I've been in privacy for more than a quarter century and I'm still learning new things all the time.
The OPC is clear its tool does not replace the legal obligation to determine for oneself whether the threshold is met. It's simply there to help. And not every breach will have elements that conform perfectly with some of their assumptions in designing the tool.
But, still, it's good to see a regulator offer this type of help. I think it's bold and helpful, and I think my clients will appreciate that I use it when helping them navigate through a breach.
Try the tool out for yourself and let me know what you think.
Kris Klein, CIPP/C, CIPM, FIP, is the managing director, Canada, for the IAPP.
This article originally appeared in the Canada Dashboard Digest, a free weekly IAPP newsletter. Subscriptions to this and other IAPP newsletters can be found here.
