Information about privacy breaches and how to respond
What is a privacy breach?
A privacy breach occurs when there is unauthorized access to, or collection, use, or disclosure of, personal information. Such activity is “unauthorized” if it occurs in contravention of applicable privacy legislation, such as PIPEDA, or similar provincial privacy legislation. Some of the most common privacy breaches happen when personal information of customers, patients, clients or employees is stolen, lost or mistakenly disclosed (e.g., a computer containing personal information is stolen or personal information is mistakenly emailed to the wrong people). A privacy breach may also be a consequence of faulty business procedure or operational break-down.
How we can help
Unfortunately, privacy breaches are becoming more and more common. Over the last few years, hundreds of thousands of Canadians have been affected by privacy breaches. And the consequences for affected individuals can be significant.
In Canada, the disclosure of privacy breaches is voluntary, and organizations must evaluate the situation and decide for themselves on an appropriate response. However, organizations will often approach the OPC for guidance or to report a breach, and we have developed a number of tools to assist organizations.
What does the OPC do when there is a privacy breach?
When the OPC learns of a privacy breach (in previous Annual Reports issued by the Office, we referred to them as “incidents”), whether the organization notifies us or we learn about it from another source, we open an “incident” file. Generally speaking, we monitor such incidents; this is not as in-depth a process as an investigation. Essentially, we want to know what happened, what steps are being taken to address the situation, what has been done to mitigate a recurrence, and whether notification to individuals has occurred or been considered. We may also make suggestions to the organization. The Director General of Investigations and Inquiries sends a letter to the organization when the incident file is closed. No findings are issued.
There are times when an incident file is turned into a complaint investigation. This occurs when the OPC receives a complaint. On occasion, the Commissioner may initiate a complaint on her own motion. This happens only in exceptional circumstances, where, for example, the breach is very serious, appears to be systemic or the organization does not appear to be responding adequately.
There have been instances in the past when the Office has received a number of complaints about an issue and decided to initiate a complaint (instead of opening several complaint investigations). The complainants, however, had to agree to this, as they would be giving up their rights of recourse to Federal Court in such a circumstance.
The House of Commons Standing Committee on Access to Information, Privacy and Ethics (Committee) conducted the first mandated 5-year review of PIPEDA at the end of 2006. One of the areas of concern both to the members of the Committee, as well as to many witnesses appearing before the Committee, was the appropriate response to a privacy breach by organizations. High-profile data breaches occurring at the end of 2006 reinforced the serious nature of this issue.
The Privacy Commissioner asked the Committee to recommend a legislative amendment to PIPEDA to include a breach notification provision. In its Report the Committee recognized the importance of this issue and recommended a modified approach.1
1 Recommendations 23, 24 and 25, Statutory Review of the Personal Information Protection and Electronic Documents Act (PIPEDA), Fourth Report of the Standing Committee on Access to Information, Privacy and Ethics, Adopted by the Committee on April 24, 2007; Presented to the House on May 2, 2007).