Occasionally we get a call from a member advising that they think they have had a privacy breach and asking what they should do. One thing to do is to alert your cyber insurer. Another thing is to consider notice to the privacy commissioner.
Pursuant to PIPEDA, if the breach creates a real risk of significant harm to those whose personal information was compromised, there is an obligation to report to the Office of the Privacy Commissioner (OPC) and disclose this to the affected people. Determining what is significant harm involves consideration of the sensitivity of the information and the risk that it will be misused.
The OPC now has a privacy breach risk self-assessment tool on its website to assist in determining reporting and notification obligations. Though the tool is meant to be a guide only, it is a good starting point for anyone who has to determine their obligations if they have a data breach. As stated on the OPC’s website:
Once you have completed the questionnaire, the tool will indicate whether a real risk of significant harm is either Likely or Unlikely. This result will help you to determine whether you need to report it to the OPC (and to the TBS in the case of a federal government institution) and notify affected individuals.
Important: The results provide guidance for your organization and are not an official position of the OPC. They are one element to consider in assessing whether a breach creates a real risk of significant harm.