The Covid-19 pandemic has accelerated the transition to a more digital workplace. Now, it is more convenient than ever before to store and process data, including personal information. With this transition comes a good opportunity to revisit an issue that all Canadian business owners should keep in mind: data privacy. This is the final installment of a three-part series.
In my last blog post, I introduced privacy polices and explained their importance. Today, I take a look at the responsibilities an organization faces when there has been a breach of sensitive personal information the disclosure of which poses a “real risk of significant harm to an individual”.
The first task the organization has is to determine whether there is a “real risk of significant harm”. This is determined through calculating the sensitivity of the personal information exposed and the probability that the personal information could be misused. Not surprisingly, humiliation and damage to reputation are two examples that come to mind. Other examples include bodily harm, identify theft, loss of professional or business opportunities, and loss of property.
In addition to the obligation that organizations must keep records of all breaches, if a breach meets the real risk of significant harm threshold, the organization has two additional obligations:
- It must report the breach to the Office of the Privacy Commissioner of Canada (“OPC”).
- It must notify affected individuals and relevant third-parties.
These reporting obligations exist whether the real risk of significant harm affects one individual or thousands of individuals.
For an affected individual, the first step often involves bringing a claim to the OPC against the organization. Fortunately, for organizations who collect personal information, the OPC discourages adversarial engagements and instead promotes a collaborative and conciliatory approach in resolving issues. If this is not possible, the OPC may decide to investigate the claim and make a decision and/or make a recommendation based on its findings. The consequences of these findings may be time-consuming and costly. For example, the OPC may enter into a compliance agreement with the organization which may require the organization to commit to certain changes that would reduce and mitigate the impact of future privacy breaches. Failure to comply with such an agreement could lead to court orders compelling compliance. If OPC believes it to be in the public interest, the OPC may also make their investigations and findings public, which may lead to embarrassment in the general marketplace.
It is also important to note that even if an organization uses a third-party processer to collect and store the personal information, the OPC still deems the organization to be responsible for controlling the information and reporting any breach that reasonably poses a real risk of significant harm to an individual, even if such breach occurred by the third-party processor. As a result, it is imperative that the processor and principal have sufficient contractual arrangements detailing compliance and protection measures.
Brian Wong is an associate lawyer with a focus on private equity, lending, IP/IT, and privacy law. Prior to joining Ross Rumbell, Brian worked at large Canadian law firms supporting a variety of corporate/commercial practice areas. He also has a background in life sciences and has worked at an international biotechnology company. In his spare time, Brian enjoys learning Mandarin, travelling, and playing golf.
Brian Wong is an associate lawyer with a focus on private equity, lending, IP/IT, and privacy law. Prior to joining Ross Rumbell , Brian worked at large Canadian law firms supporting a variety of corporate/commercial practice areas. He also has a background in life sciences and has worked at an international biotechnology company. In his spare time, Brian enjoys learning Mandarin, travelling, and playing golf.