Real Risk of Significant Harm
Once it is confirmed that a privacy breach occurred, the new breach notification provision in FOIP and LA FOIP require the public body to consider if, as a result of the incident, there is a real risk of significant harm that may come to the affected individual. If so, then breach notification is mandatory.
The wording of the new provision in FOIP is as follows:
29.1 A government institution shall take all reasonable steps to notify an individual of an unauthorized use or disclosure of that individual’s personal information by the government institution if it is reasonable in the circumstances to believe that the incident creates a real risk of significant harm to the individual.
LA FOIP’s language is almost identical so it is not reproduced here.
What is a real risk of significant harm? For one, there must be some risk of damage, detriment or injury to the individual that is significant in nature. In terms of PIPEDA amendments not yet in force, “significant harm” is described as follows:
10.1(7) For the purpose of this section, “significant harm” includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.
The second consideration is whether or not there is a ‘real risk’ that the significant harm will occur. Probability of harm and sensitivity of the personal information must be considered in making this determination. The Alberta IPC, in its Personal Information Protection Act Mandatory Breach Reporting Tool, offers the following factors to consider in analyzing the circumstances surrounding the breach when making this call:
- Who obtained or could have obtained access to the information?
- Is there a security measure in place to prevent unauthorized access, such as encryption?
- Is the information highly sensitive?
- How long was the information exposed?
- Is there evidence of malicious intent or purpose associated with the breach, such as theft, hacking, or malware?
- Could the information be used for criminal purposes, such as for identity theft or fraud?
- Was the information recovered?
- How many individuals are affected by the breach?
- Are there vulnerable individuals involved, such as youth or seniors?
So, does this mean that public bodies only need to provide breach notification in these cases? Not at all. A public body needs to make that call in the course of investigating any privacy breach. And, in terms of whether or not to report to the IPC, this is always encouraged. Generally, if proactively reported, this office will monitor the response to the incident by the public body and if issues are sufficiently addressed may resolve the matter informally.
In terms of providing notification to affected individuals, I draw your attention to a resource from this office titled Privacy Breach Guidelines for Government Institutions and Local Authorities, specifically pages 2 and 3, available on our website, www.oipc.sk.ca.
If you have any questions, feel free to contact our office.