Private businesses collect personal information for various reasons, such as providing a quote for products and services, to maintaining accurate records and contact information for each employee of the company. In Alberta, a private organization’s duties with respect to the collection, use, and retention of personal information is set out under the provincial Personal Information Protection Act.
Businesses have a duty to protect all personal information that they collect from unreasonable use or disclosure, and they must only keep the information on record as long as is necessary. Further, if the data is breached, whether by an outsider or by internal employees, organizations have a duty to report the breach, as well as to inform anyone who may be susceptible to “significant harm” as a result of the incident. If they fail to do so, they could face significant fines.
This article will explore an organization’s responsibilities in the event of a breach and will review what could be considered “significant harm” using a recent decision of the Alberta Information and Privacy Commissioner as an example.
Post-Breach Reporting and Notification Obligations
If an organization confirms a breach of personal information, there are several steps they must take to ensure compliance with the Personal Information Protection Act, and with the Regulations under ss. 19 and 19.1.
First, a breach, for this purpose, includes the loss of personal information, as well as unauthorized access to, or disclosure of, personal information. If this occurs, and a reasonable person would determine that there was a risk of “significant harm” to even one person, an organization must take the following steps as soon as possible:
- Contain the breach;
- Evaluate the risks associated with the breach;
- Report the breach and notify those who may be at risk of significant harm; and
- Take steps to prevent future breaches.
Notify the Office of the Information and Privacy Commissioner
An organization that has suffered a breach should notify the Office of the Information and Privacy Commissioner as soon as possible. The notice must include the following information:
- A description of the circumstances of the breach and the date(s) it occurred;
- A description of the personal information involved;
- An assessment of the risk of harm to those impacted as a result of the breach;
- An estimate of the number of people who may face a “serious risk of significant harm” as a result of the breach, and a list of steps the organization has taken to notify them;
- A list of steps the organization has taken to reduce this risk; and
- The name and contact information of an individual who can answer further questions from the Commissioner’s office if necessary.
Notify Any Individuals Who May Be at Risk of “Significant Harm”
Organizations must notify any individual who may be at risk of significant harm as a result of the breach. In order to comply with s. 19.1 of the Regulations, this notice must be given directly to the individual, and must include:
- A description of the circumstances of the breach and the time period during which it occurred;
- A description of the personal information involved;
- An assessment of the risk of harm to the person(s) being notified;
- A list of steps the organization has taken to reduce this risk; and
- The name and contact information of an individual who can answer further questions about the breach if necessary.
Failure to comply with these obligations could result in fines not exceeding $10,000 for an individual, or $100,000 for an organization.
What Qualifies as “a Real Risk of Significant Harm”?
As part of the reporting and notification process post-breach, organizations must assess whether any person impacted by a breach is at “a real risk of significant harm”. However, it is important to clarify what kind of breach would pose such a risk.
In cases where a nefarious third-party gains access to financial or identity information of at least one individual, there would clearly be a risk of significant harm to that person. However, some instances of a breach are less obvious. In a decision of the Information and Privacy Commissioner from earlier this year, an Alberta credit union discovered, through an internal audit, that four employees had accessed the account information of several other employees and members of the credit union. It was determined that the employees engaged in unauthorized access out of curiosity only, and that none of the information had been transferred or shared to the employee’s electronic devices. In compliance with the Personal Information Protection Act, the organization reported the breach. In the report, the organization noted that while the potential for significant harm was high given the type of data involved, the actual risk of significant harm was low under the circumstances.
The Commissioner disagreed with the second assessment. In the decision, the Commissioner noted that the employees had merely been curious and had not downloaded or transferred information to personal devices. However, there was no way to determine if any personal data had been shared by other means. Further, since the employees who caused the breach knew the individuals affected personally, the incident had the potential to cause damage to personal and professional relationships. Since the employer had already provided verbal and written notice to each person involved, as well as offered them 24 months of complimentary credit monitoring, there was no further action to take.
This decision is notable as it helps to clarify what could be considered “risk of significant harm” and highlights that organizations would be wise to err on the side of caution when it comes to reporting what may seem like a minor privacy breach by employees.
Contact DBH Law for Skilled Representation in Employment and Corporate Commercial Matters
The lawyers and staff at DBH Law strongly believe in building long-term relationships with our clients. We provide a complete range of employment law and business services as well as effective risk management to clients in a variety of industries. We advise and represent both employees and employers in various employment matters including wrongful dismissal, termination packages, and workplace safety, and regularly represent clients in litigation relating to corporate commercial issues. We pride ourselves on the fact that most of our clients were referred to us by former and current clients. To schedule a consultation and learn more about we can help you, us online or by phone at 403-252-9937.