Real Risk of Significant Harm (updated)
Amendments to The Freedom of Information and Protection of Privacy Act (FOIP) and The Local Authority Freedom of Information and Protection of Privacy Act in 2018, require that once it is confirmed that a privacy breach occurred, the public body must consider if, as a result of the incident, there is a real risk of significant harm that may come to the affected individual. If so, then breach notification to the affected individual(s) is mandatory.
The wording of the provision in FOIP is as follows:
29.1 A government institution shall take all reasonable steps to notify an individual of an unauthorized use or disclosure of that individual’s personal information by the government institution if it is reasonable in the circumstances to believe that the incident creates a real risk of significant harm to the individual.
LA FOIP’s language is almost identical so it is not reproduced here.
What is a real risk of significant harm? It may, among other things, include bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.
The second consideration is whether or not there is a ‘real risk’ that the significant harm will occur. Probability of harm and sensitivity of the personal information must be considered in making this determination. When assessing whether there is a “real risk of significant harm,” the public body can consider the following factors:
- Who obtained or could have obtained access to the information?
- Is there a security measure in place to prevent unauthorized access, such as encryption?
- Is the information highly sensitive?
- How long was the information exposed?
- Is there evidence of malicious intent or purpose associated with the breach, such as theft, hacking, or malware?
- Could the information be used for criminal purposes, such as for identity theft or fraud?
- Was the information recovered?
- How many individuals are affected by the breach?
- Are there vulnerable individuals involved, such as youth or seniors?
So, does this mean that public bodies only need to provide breach notification in these cases? Not at all. A public body needs to make that call in the course of investigating any privacy breach. And, in terms of whether or not to report to the IPC, this is always encouraged. Generally, if proactively reported, this office will monitor the response to the incident by the public body and if issues are sufficiently addressed may resolve the matter informally.
In terms of providing notification to affected individuals, I draw your attention to a resource from this office titled Privacy Breach Guidelines for Government Institutions and Local Authorities, available on our website, www.oipc.sk.ca.
If you have any questions, feel free to contact our office.