In yesterday’s post, I provided a basic outline of privacy breach notification obligations under the Personal Information Protection Act (Alberta). I explained that the Alberta Privacy Commissioner may order an organization to make individual privacy breach notification if there is a “real risk of significant harm” as a result of the loss of, unauthorized access to, or unauthorized disclosure of the individual’s personal information.
In deciding whether there is a “real risk of significant harm,” the Alberta Privacy Commissioner will consider:
- whether there is some damage, detriment or injury that could be caused to an individual as a result of the privacy breach;
- whether this harm is important, meaningful and with non-trivial consequences or effects;
- whether the likelihood of this harm is more than mere speculation or conjecture; and
- whether there is a causal relationship between the privacy breach and the possible harm.
The Alberta Privacy Commissioner typically considers the loss of, or unauthorized access to, a social insurance number, driver’s licence number, or financial and credit card information to pose a real risk of significant harm to an affected individual. This will be true even if the more sensitive information relates to expired credit cards or other potentially stale information because this information could still be used for identity theft and phishing purposes. As a general observation, therefore, organizations should expect that if sensitive personal information is lost in an unencrypted form, the Alberta Privacy Commissioner will conclude that the loss poses a real and not speculative risk.
The risk of identity theft is not the only type of harm that is of concern to the Alberta Privacy Commissioner. Information as varied as background checks or a person’s designated beneficiaries to pension or insurance policies may give rise to hurt feelings, humiliation and damage to reputation and, therefore, pose a “real risk of signficant harm” to the affected individuals.
In determing whether there is a “real risk of significant harm” the Alberta Privacy Comissioner employs a contextual analysis. Personal information such as name and e-mail address are considered by the Alberta Privacy Commissioner to be of moderate sensitivity. However, this information may be combined with other information that would increase its sensitivity. For example, the Alberta Privacy Commissioner will consider whether the personal information might involve information regarding a customer-merchant relationship that could be used in a targetted phishing attempt.
As mentioned in my previous post, the Alberta Privcy Commissioner has discretion to permit general notification where individual notification would be unreasonable. The Alberta Privacy Commissioner has permitted general notification, such as positings on websites and physical locations, in situations where the organization demonstrates that the contact information on file is “stale”and, therefore, individual notification attempts would be pointless.
In tomorrow’s post, I will describe the consequences for failing to comply with Alberta’s mandatory breach notification provisions.