On May 1, 2010 amendments to Alberta’s privacy legislation come into effect. The Personal Information Protection Amendment Act will include Canada’s first mandatory breach notification requirements. Effective May 1, organizations covered by PIPA, the Personal Information Protection Act, will be required to notify the Privacy Commissioner of any breaches of the Act. Businesses that are not government bodies or public bodies will be subject to the new breach notification requirements. Generally, the unauthorized collection, use or disclosure of third party personal information, including employee information, may be a breach.

Most commonly, breaches occur if there is a transmission of personal information to a wrong fax number or email address, or if a laptop or handheld device containing personal information goes missing or is stolen. Breaches may also occur when files or briefcases are lost or stolen, documents are improperly disposed of, or an organization’s systems have been hacked or accessed by unauthorized parties.

The new legislation requires organizations to report a breach where there is a “real risk of significant harm.” Whenever this “real risk” threshold is met, the organization must notify the Privacy Commissioner of the breach. The Commissioner will then advise the organization whether or not, and to what extent, the breach must be communicated to third parties, such as employees or clients.

Nothing prevents an organization from notifying third parties directly when there has been a loss or theft of their personal information.

In order to evaluate whether the “real risk” threshold has been met, and in any event, where disclosure of a breach is to be made to the Privacy Commissioner, you should first have an understanding of the information that has been compromised and who may be affected by its loss. Organizations should be proactive about preventing security breaches and should audit the personal information practices to gain an understanding of what information is collected, stored and used, and for what purposes.

In addition to having an understanding of what information an organization may collect and keep, organizations:

  • must not collect or keep information that isn’t necessary for the business of the organization. Personal information that is kept by your organization should be secure -- technologically, physically and operationally;
  • must take reasonable steps to protect personal information they collect and keep. This could include the encryption of laptops, handheld and other portable devices;
  • should have policies in place for employees to immediately report the loss or theft of, or unauthorized access to, devices or information and files containing personal information; and
  • should ensure employees are aware of, and are in compliance with, the organization’s policies and practices relating to the protection of third party personal information.

While Alberta is the first province in Canada to adopt mandatory breach notification provisions covering non-public bodies or health care providers, similar provisions are being considered for federal legislation (PIPEDA).

This is a good time to consider your business’ privacy policies and the protections you have in place to protect third party and sensitive information, and to consult legal counsel about your obligations under applicable privacy legislation. If your organization has not already, it should develop a plan for responding to information security breaches. This helps to ensure the necessary steps are taken quickly to contain and evaluate the breach, and will assist in meeting Alberta’s new mandatory reporting requirements. Davis LLP can help: · conduct privacy audits; · evaluate your organization’s compliance and recommend changes for compliance; · prepare policies and protocols relating to personal information collection, storage and use; · develop a plan for responding to information security breaches; and · comply with reporting and notification requirements.

DID YOU KNOW?

  • 80% of companies surveyed self-reported data breaches in 12 month period. (Security of Paper Documents in the Workplace, Ponemon Institute, October 2008)
  • At least 42% of data breaches occur due to lost or stolen laptops and other portable data-bearing devices. (The Business Impact of Data Breach, Ponemon Institute, May 15, 2007)
  • The cost of a lost laptop is $49,246. 80% of that cost relates to data breaches. (The Cost of a Lost Laptop, Ponemon Institute, April 2009)