Personal Information Protection Act Breach Reporting Guide If an organization determines that a real risk of significant harm exists to an individual as a result of a breach of personal information, section 34.1 (1) of the Personal Information Protection Act (PIPA) requires the organization to provide notice to the Commissioner without unreasonable delay of the incident. Section 34.1 (1) also requires the notice to the Commissioner to include the information prescribed in section 19 of Personal Information Protection Act Regulation (the Regulation ) as follows. Notice to the Commissioner 19 A notice provided by an organization to the Commissioner under section 34.1(1) of the Act must be in writing and include the following information: (a) a description of the circumstances of the loss or unauthorized access or disclosure; (b) the date on which or time period during which the loss or unauthorized access or disclosure occurred; (c) a description of the personal information involved in the loss or unauthorized access or disclosure; (d) an assessment of the risk of harm to individuals as a result of the loss or unauthorized access or disclosure; (e) an estimate of the number of individuals to whom there is a real risk of significant harm as a result of the loss or unauthorized access or disclosure; (f) a description of any steps the organization has taken to reduce the risk of harm to individuals; (g) a description of any steps the organization has taken to notify individuals of the loss or unauthorized access or disclosure; (h) the name of and contact information for a person who can answer, on behalf of the organization, the Commissioner s questions about the loss or unauthorized access or disclosure. The guidance in this document is designed to assist an organization provide the information required by the Regulations and facilitate timely completion of the investigation. If using the Breach Report Form to report the breach, the table below corresponds to the sections contained in the Form for ease of reference. 1
INCIDENT DESCRIPTION - SECTIONS 19 (a) AND (b) OF THE REGULATION Describe the circumstances of the breach and its cause Provide a written explanation of the cause of the breach, adding as much detail as possible to assist in the determination of whether notification of the individuals is required. A breach means a loss, unauthorized access to, or disclosure of personal information. Some examples of situations where a loss of or unauthorized access to or disclosure of personal information occurred are as follows: A loss may occur where an employee misplaces files or loses a laptop containing personal information. Unauthorized access may occur where an organization s computer system is hacked into by a hacker and personal information is accessed. Unauthorized disclosure may occur where personal information is sent to the wrong person in error. The following are some examples of causes of a breach. Theft personal information in electronic devices, such as a laptop, or in paper files is stolen from a car or premises; personal information in a database is stolen when a hacker hacks into the database and extracts personal information; personal information is taken by an employee without authorization for a use separate from his or her employment responsibilities. Improper disposal personal information intended for the shredder is disposed of in a garbage can and winds up in a dumpster; personal information is sent for recycling rather than shredded. Improper access control personal information in electronic file folders on a network is not segregated and is viewable by employees who do not have authorization to view the personal information; a system glitch causes personal information to become viewable by those not authorized to view the personal information (employees and/or the general public via the Internet). Loss an electronic file or electronic device without encryption is lost by an employee on his/her way home from work or at home and is not recovered; a document sent to another organization does not arrive and is not recovered. Cyber attack a website created by an organization that collects personal information of its customers is redirected to another website designed to collect the personal information entered; a database is hacked into and email addresses are stolen for the purposes of spear phishing. Date of incident or time period during which the incident occurred Provide the actual date of the breach (if known) or the suspected date range of the breach (if known), and the date the breach was discovered. It is helpful to provide a description setting out who discovered the breach and the circumstances associated with discovery. If there has been a delay between discovery of the breach and reporting it to the OIPC, you may also wish to provide an explanation for the delay. It is also helpful to provide the actual location that the breach occurred. This means the address of the breach along with the location within (i.e., the breach occurred at 1234, 5 th Street, in Office 204). If not known, the approximate location should be provided. 2
PERSONAL INFORMATION INVOLVED SECTION 19 (c) OF THE REGULATION Describe the Personal Information involved in the breach Personal information means information about an identifiable individual and includes personal employee information. Personal employee information means in respect of an individual who is a potential, current or former employee of an organization, personal information reasonably required by the organization for the purposes of establishing, managing or terminating an employment or volunteer work relationship, or managing post employment or postvolunteer work relationships between the organization and the individual. Examples of personal information include: a person s name, home phone number, home address, date of birth, social insurance number (SIN), driver s licence number, credit card number, bank account number, email address, and membership information. Examples of personal employee information include: disciplinary records, employment references, performance evaluations, benefits information, and years of service. Information that is NOT about an individual, such as information that is about an organization, is not personal information. The Commissioner has determined that in certain circumstances a corporate credit card issued to an employee for business purposes, even if issued in the employee s name, is not personal information about an individual but is information about an organization. If you completed the Mandatory Breach Reporting Tool, you may wish to insert your answer from Question 1 of the Tool into this section. HARM - SECTION 19 (d) OF THE REGULATION Provide an assessment of the type of harm that may result from the breach Provide the type of harm that could occur as a result of the breach. There are many kinds of harm that could occur to an individual as a result of a breach of the individual s personal information, including bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, fraud, identity theft, negative effects on a credit record, and damage to or loss of property. Some examples of harm that could flow from a breach of personal information are as follows: A breach of an individual s name and credit card number could result in financial fraud. A breach of an individual s name, driver s licence and SIN could result in identity theft and fraud. A breach of an individual s name and magazine subscription to an adult magazine could result in reputational harm. A breach of an individual s disciplinary letter could result in humiliation. If you completed the Mandatory Breach Reporting Tool, you may wish to insert your answer from Question 4, Stage One of the Tool into this section. Provide an assessment of whether you think the harm is significant and why To determine whether harm is significant, it is important to determine the sensitivity of the personal information breached. For example, if the personal information breached includes name and SIN the sensitivity would be high. Although a name is considered to be of low sensitivity, a SIN is considered to be highly sensitive because SINs can be used to commit identity theft or identity fraud. The Commissioner has held the following types of information to be highly sensitive: SIN, date of birth, and a driver s licence number because this information can be used to commit fraud or identity theft, credit card numbers because they are often used to make fraudulent purchases, and certain types of medical information, such as psychiatric or addiction counselling notes, and employee 3
information, such as poor performance or termination information, due to their ability to cause humiliation and harm to reputation. The Commissioner has held names, phone numbers, email addresses, bank account and RRSP account numbers to be less sensitive. Note that in certain circumstances, a name and address can be highly sensitive, such as in cases where there is a risk of domestic violence. For a risk of harm to exist, there must be some risk of damage, detriment or injury that could occur to an individual as a result of the breach. For the harm to be significant, it must be important, meaningful and more than trivial consequences or effects. RISK - SECTION 19 (e) AND (f) OF THE REGULATION Provide an assessment of the likelihood that harm could result Provide why you think there is a real risk that the harm identified will occur to those individuals. You must assess the likelihood that the significant harm will occur to an individual. This harm must be more than mere speculation or conjecture. There must be a cause and effect relationship between the breach and the harm. This means that the harm must flow directly as a result of the breach. For example: A hacker hacks into your computer system and uploads the personal information (name, driver s licence number and credit card number) of your customers. In this scenario, it is likely the harm, identity theft, will occur because the personal information was stolen. The effect of the breach, the theft of personal information, will cause the harm identity theft. Therefore, in this circumstance, there is a real risk that the harm of identity theft will occur to a customer as a result of the theft of the customer s personal information. To determine whether a real risk of significant harm will occur to an individual, you will need to analyze all the circumstances surrounding the breach. Some factors you may wish to consider are as follows: Who obtained or could have obtained access to the information? Were there security measures in place to prevent unauthorized access, such as encryption? Is the information highly sensitive? How long was the information exposed? Is there evidence of malicious intent or purpose, such as theft, hacking, or malware? Could the information be used for criminal purposes, such as for identity theft or fraud? Was the information recovered? How many individuals were affected by the breach? Were there vulnerable individuals involved in the breach, such as youth or seniors? If you completed the Mandatory Breach Reporting Tool, you may wish to insert your answer from Question 4, Stage Two of the Tool into this section. Estimated number of individuals to whom there is a real risk of significant harm as a result of the incident Provide an estimate of the number of individuals that could suffer the harm identified in the prior question. It is helpful to provide the number of affected residents of Alberta (if known) in addition to the total number of affected individuals. It is also helpful to provide the type of individuals, which could include client, customer, patient, employee or other. Describe any steps you have taken to reduce the risk of harm to individuals In describing any steps you have taken to reduce the risk of harm to individuals, it is helpful to list all the actions taken by the organization to reduce the risk of harm. You may also wish to include any actions planned that have not yet been implemented. 4
NOTIFICATION - SECTION 19 (g) OF THE REGULATION Have affected individuals been notified? Indicate if you did or did not notify individuals about the breach. Describe any steps you took to notify individuals of the breach. If you provided notification, it is helpful to provide the date of notification, what the notification contained, and what individuals were notified. A copy of the notification may be provided if in writing or a script if notification was by phone. CONTACT - SECTION 19 (h) OF THE REGULATION Provide the name and contact person who can answer questions about the breach. It is also helpful to provide address, phone, and fax and email address of the contact person. The information on the next page is additional information that is helpful to the Commissioner when investigating a breach and can be included as an addendum to the Breach Report Form. This document was prepared to help organizations implement the Personal Information Protection Act ( PIPA ). The document is an administrative tool intended to assist in understanding PIPA. It is not intended, nor is it a substitute for legal advice. For the exact wording and interpretation of PIPA, please read PIPA in its entirety. This document is not binding on the Information and Privacy Commissioner of Alberta. 5
Office of the Information and Privacy Commissioner of Alberta Addendum to the Breach Report Form (There is no requirement to provide this information to the Information and Privacy Commissioner. However, this information will be useful to the Commissioner in determining whether notification is required. Describe the type of business you are engaged in Provide any additional information not already included that you used to assess whether there is a real risk of significant harm to an individual Identify any authorities (i.e. Police) or other organizations (i.e., other Privacy Commissioners Offices, credit card companies) that were notified about the breach and when. 6