Example of using PIPEDA
- Does the potential breach fall under PIPEDA’s definition of “breach of security safeguards”?
- Does the breach involve personal information?
- Determine whether you are the data controller.
- Is it reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual?
- If you said yes to all the questions above, you are required by the statute to:
- Report to the commissioner
- Notify the affected individual
- Fulfill the statutory record keeping requirement
- After a privacy event it is also important to create a plan for dealing with privacy incidents in the future, and/or evaluate your existing plan.
Privacy Tip
If your organization hires a business consultant, instead of a lawyer, to prepare a privacy report, this report is not protected by solicitor-client privilege.
Litigation privilege may attach to a business consultant’s report, if the report was prepared for the express purpose of preparation for litigation or anticipated litigation.
Privilege may also attach to a business consultant’s report if it was prepared on behalf of the client to provide information to the lawyer so that the lawyer can provide legal advice.
Real Life Example
The Alberta Privacy Commissioner addressed the issue of a data breach in Investigation Report P2005-IR-005.
In this case, the company mistakenly provided employees’ personal information to a business and included it in the business’s contract. This personal information included employees’ home addresses and social insurance numbers. The business then filed those contracts with SEDAR, a platform that enables public companies to fulfill electronic filing requirements mandated by securities regulators. By filing those contracts with SEDAR, the business made the employees’ information accessible to the public.
The Commissioner found that the disclosure of employees’ personal information in the business contracts and onto SEDAR contravened the provincial legislation.