Your SlideShare is downloading. ×
  • Like
Privacy Breaches: Legal Risks, Obligations & Best Practices
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Privacy Breaches: Legal Risks, Obligations & Best Practices

  • 431 views
Published

Presented at Marsh Canada seminars, Ottawa and Calgary, May 2011.

Presented at Marsh Canada seminars, Ottawa and Calgary, May 2011.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
431
On SlideShare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
5
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Privacy Breaches: Legal Risks, Obligations & Best Practices David Elder Stikeman Elliott LLP May 2011
  • 2. Legislative Framework
    • Patchwork?
    • Mix of Federal and Provincial Regimes
      • Private Sector
      • Health Sector
      • Public Sector
      • Employees
    © TinyApartmentCrafts
  • 3. Private Sector Privacy
    • Provincial:
          • B.C.: Personal Information Protection Act
          • Alberta: Personal Information Protection Act
          • Québec: An Act Respecting the Protection of Personal Information in the Private Sector
    • Federal:
          • Personal Information Protection and Electronic Documents Act
  • 4. Private Sector Privacy
    • Federal
          • Personal Information Protection and Electronic Documents Act
    • Applies to collection, use and disclosure of personal information by:
      • Private sector federal works & undertakings, including their employees
      • Private sector organizations, in course of commercial activities, when:
        • Transferred across provincial borders
        • Collected, used or disclosed in province without “substantially similar” legislation
  • 5. Private Sector Privacy
    • Provincial
          • B.C.: Personal Information Protection Act
          • Alberta: Personal Information Protection Act
          • Québec: An Act Respecting the Protection of Personal Information in the Private Sector
    • Apply to collection, use and disclosure of personal information by all private sector organizations in the Province
      • Not just in course of commercial activities
      • Including employee personal information
      • N/A to interprovincial transfers and federal undertakings
  • 6. Health Sector Privacy
    • Provincial:
          • British Columbia: Personal Information Protection Act
          • Alberta: Health Information Act
          • Saskatchewan: Health Information Protection Act
          • Manitoba: Personal Health Information Act
          • Ontario: Personal Health Information Protection Act
          • New Brunswick: Personal Health Information Privacy and Access Act
          • Nova Scotia: Personal Health Information Act*
          • Newfoundland & Labrador: Personal Health Information Act
    • Federal:
          • Personal Information Protection and Electronic Documents Act
  • 7. Health Sector Privacy
    • Provincial health sector privacy laws generally apply to:
    • Personal health information, held by
    • Health Information Custodians: persons or organizations with custody or control of PHI in performing duties, including:
      • Health care practitioners
      • Hospitals and long-term care facilities
      • Community health centres
      • Pharmacies
      • Laboratories, etc.
  • 8. What is a privacy breach?
    • Typically refers to unauthorized access, theft or disclosure of personal information
      • Hacking, “social engineering”
      • Rogue employee or contractor
      • Stolen/lost laptop
      • Improper disposal of records
    • Could apply more broadly to unauthorized collection, use or disclosure of personal information
      • Unnecessary or illegal collection and/or retention of personal information
      • Use for purposes for which consent not obtained
      • Accidental or negligent disclosure
  • 9. Consequences – Private Sector
    • Offences:
      • B.C. and Alberta: up to $100 K for organizations
      • Québec: Up to $10 K, for a 1 st offence; Up to $20 K for a 2 nd
      • Federal: Up to $10 K, summary conviction; Up to $100 K, indictment (only for destroying info under investigation, retribution to whistleblower)
    • Statutory Damages
      • B.C. and Alberta: damages available based on final Commissioner finding or conviction of offence
      • Federal: Federal Court can award damages after de novo consideration of Commissioner findings – including for humiliation
    • Tort Damages?
    • Brand Damage, Reputational Harm
  • 10. Consequences – Health Sector
    • Offences & Damages
          • British Columbia: Up to $100 K for organizations
          • Alberta: Up to $50 K
          • Saskatchewan: UP to $50 K or 1 year imprisonment for individuals; Up to $500 K for corporations; Up to $50 K officers and directors
          • Manitoba: Up to $50 K per day offence continues, including directors and officers
          • Ontario: UP to $50 K for an individual; Up to $250 K for a corporation; statutory damages also available
          • New Brunswick: Up to $5,125 for a 1 st offence; up to $9 K for a 2 nd offence (Category F Offence)
          • Nova Scotia: Up to $10 K, for an individual; up to $50 K for a corporation, officers and employees liable
          • Nfld & Labrador: Up to $10 K or 6 months imprisonment
          • Federal: Federal Court can award damages
  • 11. Private Sector Privacy
    • Breach Notification
          • Alberta: Personal Information Protection Act
    • Only Canadian jurisdiction to require mandatory privacy breach notification by private sector organizations
    • Organizations must, without unreasonable delay, notify Commissioner of any incident involving loss or unauthorized access or disclosure of personal information
    • “ Where a reasonable person would consider that there exists a real risk of significant harm to an individual”
  • 12. Private Sector Privacy
    • Breach Notification
          • Alberta: Personal Information Protection Act
    • “ A significant harm is a material harm; it has non-trivial consequences or effects. Examples may include possible financial loss, identity theft, physical harm, humiliation or damage to one’s professional or personal reputation.”
    • “ A real risk of significant harm means a reasonable degree of likelihood that the harm could result. The risk of harm is not hypothetical or theoretical, and it is more than merely speculative.”
    • Notification of a Security Breach , PIPA Information Sheet 11
  • 13. Private Sector Privacy
    • Contents of Notice
          • Alberta: Personal Information Protection Act
    • Description of circumstances of loss, access or disclosure
    • Date or time period on or during which it occurred
    • Description of the personal information involved
    • Description of any steps taken to contain, reduce risk of harm, notify affected individuals
    • Contact information for questions about incident, risks
  • 14. Private Sector Privacy
    • Breach Notification
          • Alberta: Personal Information Protection Act
    • Commissioner may require notification of individuals, if a real risk of significant harm
    • Can prescribe form, manner and timing
    • May impose terms and conditions
    • May require provision of additional info, establish expedited process to determine whether notification required
    • Failure to notify = fine of up to $100,000
  • 15. Private Sector Privacy
    • Other Jurisdictions:
    • Committee to review Alberta PIPA recommended clearly defined breach notification amendment in 2008
    • PIPEDA amendments in Bill C-29 included mandatory breach notification to Commission for “material” breach
      • Factors included sensitivity, number of individuals affected, systemic problem
    • Also, mandatory breach notification to individuals if “reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual”
      • Factors included sensitivity, probability of misuse of personal info
  • 16. Private Sector Privacy
    • Other Jurisdictions:
    • Meanwhile, “Voluntary” disclosure “strongly encouraged”
    • B.C., Federal Commissioners have breach notification forms and processes
    • Advocate 4 key steps to respond immediately to a data breach:
      • Contain the breach, do preliminary assessment
      • Evaluate the associated risks
      • Notification
      • Prevention
  • 17. Health Sector Privacy
    • Breach Notification
          • Ontario: Personal Health Information Protection Act
    • Requires “health information custodians” to notify affected individuals at the first reasonable opportunity where personal health information is stolen, lost or accessed by unauthorized persons
    • No threshold: all breaches are notifiable, although some leeway if data encrypted
    • No obligation to notify Information and Privacy Commissioner, but strongly encouraged
  • 18. Health Sector Privacy
    • Breach Notification
          • New Brunswick: Personal Health Information Privacy and Access Act
    • Requires health information “custodians” to notify affected individuals at the first reasonable opportunity where personal health information is stolen, lost, disposed of (except as permitted by Act) or disclosed to or accessed by unauthorized persons
    • Not required to notify if custodian reasonably believes that breach will not have an adverse impact on the well-being of the individual or on provision of health care or other benefits, and will not lead to identification of the individual
    • No obligation to notify the Access to Information and Privacy Commissioner, but strongly encouraged
  • 19. Health Sector Privacy
    • Breach Notification
          • Nfld & Labrador: Personal Health Information Act
    • Requires health information “custodians” to notify the Information and Privacy Commissioner where they reasonably believe that there has been a “material Breach” involving the unauthorized collection, use or disclosure of personal health information
    • Also requires health information “custodians” to notify affected individuals:
      • at the first reasonable opportunity where personal health information is stolen, lost, disposed of (except as permitted by Act) or disclosed to or accessed by unauthorized persons
      • where personal health information used or disclosed contrary to requirements of Act and without consent
    • Unless directed otherwise by Commissioner, needn’t notify individual if custodian reasonably believes that breach will not have an adverse impact on the well-being of the individual or on provision of health care or other benefits, and will not lead to identification of the individual
  • 20. Prepare for the Worst
    • Have an emergency response team in place, with clearly defined roles – legal, security, communications
    • Map out a containment strategy
    • Map out breach notification plan, taking into account legislative requirements, practices in each jurisdiction
    • Know what you would do, before you have to do it
    • Consider early and proactive “voluntary” notification, in addition to legally mandated notification
  • 21. QUESTIONS & ANSWERS David Elder [email_address] (613) 566-0532