Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mandatory Breach Reporting (isn’t *that* bad)

Published byDarleen Welch Modified over 5 years ago

Similar presentations

Presentation on theme: "Mandatory Breach Reporting (isn’t *that* bad)"— Presentation transcript:

1 Mandatory Breach Reporting (isn’t *that* bad)
Vance Lockton Strategic Policy Analyst November 6, 2018

2 The Office of the Privacy Commissioner of Canada (OPC)
Mission: To protect and promote the privacy rights of individuals. Mandate: To oversee compliance with the Privacy Act, the Personal Information Protection and Electronic Documents Act, (PIPEDA) and Canada’s Anti-Spam Legislation. (CASL) Structure: Divided into three sectors – Compliance, Policy and Promotion, and Corporate Services.

3 Personal Information Protection and Electronic Documents Act (PIPEDA)
Applies: To the collection, use and disclosure of personal information in the course of commercial activity Across Canada, except AB, BC, PQ (each of which has substantially similar legislation) Purpose: To establish … rules to govern collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals … and the need of organizations to collect, use and disclose personal information ….

4 PIPEDA – 10 Principles Accountability Safeguards Identifying Purposes
Openness Consent Individual Access Limiting Collection Challenging Compliance Limiting Use, Disclosure & Retention Accuracy

5 Mandatory Breach Reporting
Key Obligations Establish security safeguards appropriate to the sensitivity of the information Report to OPC any breach of security safeguards that create a “real risk of significant harm”, and notify affected individuals Keep record of all breaches

6 Mandatory Breach Reporting
What are security safeguards? Physical, organizational or technical measures designed to protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use or modification. What is a breach of security safeguards? The loss of, unauthorized access to, or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards, or the failure to establish them.

7 Mandatory Breach Reporting
What is “significant harm”? Defined broadly, and includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on a credit record, damage to or loss of property.

8 Mandatory Breach Reporting
How does organization determine a “real risk of significant harm”? Factor 1: Sensitivity Consider (a) type of information, and (b) context. Factor 2: Probability of misuse Is there evidence of malicious intent? Was the information disclosed publicly? Was the information encrypted or otherwise not easily accessible?

9 Mandatory Breach Reporting
Who reports the breach? The organization with “control” Per PIPEDA’s accountability principle, likely the original collector of the information (the “principal organization”) Make sure you have appropriate contracts in place with your 3rd-party processors

10 Mandatory Breach Reporting
What to include in a breach report Description of the circumstances / cause Date or period of breach Types of PI subject of the breach Number of impacted individuals Description of steps taken/to be taken to reduce/mitigate harm, and to notify individuals Name and contact information

11 Mandatory Breach Reporting
What to include in a notice to individuals Description of the circumstances / cause Date or period of breach Types of PI subject of the breach Description of steps taken/to be taken to reduce/mitigate harm Description of steps individuals can take to further reduce harm Contact information

12 Mandatory Breach Reporting
Breach Reporting Experience Provide report to OPC “as soon as feasible” OPC takes graduated approach to response: no further action; follow-up with organization; initiation of investigation

13 Mandatory Breach Reporting
Fines It is an offence to knowingly contravene the reporting, notification or record-keeping requirements. Summary conviction ($10,000 maximum fine) or indictable offence ($100,000 maximum fine) OPC does not prosecute offences or issue fines; can refer information to the Attorney General of Canada.

14 Engaging with the OPC Shift to Promotion
Achieving compliance via collaboration/education Engagement Opportunities Business Advisory Directorate Advisory Consultations; Privacy Checkups InfoCentre:

15 Resources What you need to know about mandatory reporting of breaches of security safeguards Breach reporting form OPC Privacy Toolkit for Businesses Tips for Containing and Reducing the Risks of a Privacy Breach Securing Personal Information: A Self-Assessment Tool

16 Questions? Vance Lockton |

17 Learn more at www.priv.gc.ca

Download ppt "Mandatory Breach Reporting (isn’t *that* bad)"

Similar presentations

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.
Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
Kathy O’Brien NEON and NORrad – Current PHI Sharing and How Best to Comply with PHIPA August 26, 2004.

Kathy O’Brien NEON and NORrad – Current PHI Sharing and How Best to Comply with PHIPA August 26, 2004.
PRIVACY COMPLIANCE An Introduction to Privacy Privacy Training.

PRIVACY COMPLIANCE An Introduction to Privacy Privacy Training.
1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,

1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,
BC Freedom of Information and Protection of Privacy Act

BC Freedom of Information and Protection of Privacy Act
Mark S. Hayes – Blake, Cassels & Graydon LLP Privacy and Security – Some Observations Mark S. Hayes, Blake, Cassels & Graydon LLP 7th CACR Privacy and.

Mark S. Hayes – Blake, Cassels & Graydon LLP Privacy and Security – Some Observations Mark S. Hayes, Blake, Cassels & Graydon LLP 7th CACR Privacy and.
Www.oaic.gov.au Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.

Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.
The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.

The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.
A NEW GOVERNANCE PARADIGM: Canadian Privacy Law Developments March 11, 2004 Haliburton, Ontario Canada Volunteerism Initiative Arts Council for Haliburton.

A NEW GOVERNANCE PARADIGM: Canadian Privacy Law Developments March 11, 2004 Haliburton, Ontario Canada Volunteerism Initiative Arts Council for Haliburton.
Anglican Province of Canada Privacy Policy. Commitment to Privacy The Privacy Policy, including the Web Privacy Statement, is the Anglican Province of.

Anglican Province of Canada Privacy Policy. Commitment to Privacy The Privacy Policy, including the Web Privacy Statement, is the Anglican Province of.
Understanding Privacy Breach Risk: Ontario Universities Risk Management Symposium Presented by Brian Rosenbaum LL.B. Director, Legal and Research Practice.

Understanding Privacy Breach Risk: Ontario Universities Risk Management Symposium Presented by Brian Rosenbaum LL.B. Director, Legal and Research Practice.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
The ICO and the DPA Ken Macdonald Assistant Commissioner Information Commissioner’s Office ScotStat Public Sector Analysts Network 30 th September 2010.

The ICO and the DPA Ken Macdonald Assistant Commissioner Information Commissioner’s Office ScotStat Public Sector Analysts Network 30 th September 2010.
The Information Commissioner’s Office David Evans.

The Information Commissioner’s Office David Evans.
Privacy Law for Network Administrators Steven Penney Faculty of Law University of New Brunswick.

Privacy Law for Network Administrators Steven Penney Faculty of Law University of New Brunswick.
Part 6 – Special Legal Rights and Relationships Chapter 35 – Privacy Law Prepared by Michael Bozzo, Mohawk College © 2015 McGraw-Hill Ryerson Limited 34-1.

Part 6 – Special Legal Rights and Relationships Chapter 35 – Privacy Law Prepared by Michael Bozzo, Mohawk College © 2015 McGraw-Hill Ryerson Limited 34-1.
EU Data Protection IT Governance view Ger O’Mahony 12 th October 2011.

EU Data Protection IT Governance view Ger O’Mahony 12 th October 2011.

Similar presentations

Ads by Google